Вы находитесь на странице: 1из 557

SPI Dynamics : ,

,
-.
, ,
.

. ,
.
. ,
. , .
. , , ,
.
,

, .
, ,
.



TippingPoint.

: , .
PaiMei
Sulley.

:
:

:
,
:






.
. ,
,
.

-
,
. iDefense, ,
. . , ,
UNIX-.

FUZZING

www.symbol.ru
-
(812) 324-5353, (495) 945-8100

Cover_Fuzzing.indd 1

07.08.2009 11:52:32

FUZZING
Brute Force Vulnerability Discovery

Michael Sutton, Adam Greene


and Pedram Amini

FUZZING


2009

High tech
,

Fuzzing:

.

.

.
.
.
.
.
.
.

., ., .
Fuzzing: . . .
.: $, 2009. 560 ., .
ISBN: 978$5$93286$147$9
$
.
. , $
.
. $
, ,
. ,
, .
.
, , , $
.
, $

.
: ,
, , $
.
ISBN: 9785932861479
ISBN: 9780321446114 (.)
$, 2009
Authorized translation of the English edition 2007 Pearson Education Inc. This
translation is published and sold by permission of Pearson Education Inc., the owner of
all rights to publish and sell the same.
, $
. $
, , .

$. 199034, $, 16 , 7,
. (812) 324$5353, www.symbol.ru. N 000054 25.12.98.
30.07.2009. 701001/16. .
35 . . 1200 .

199034, $, 9 , 12.

.
, .
. ,
.
.

.
.

+,
,

,
.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
I. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
1. . . . . . . . . . . . . . . . . . . . . . . . . . 29
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
, . . . . . . . . . . . . . . . . . . . . 38
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
. . . . . . . . . . . . . . . . . . . . . . . . . . . 43
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

2. ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
. . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55

3. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
. . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
. . . . . . . . . . . . . . . . . 58
,
. . . . . . . . . . . . . . . . . . . . . . . . 59
. . . . . . . . . 59
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67

4. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

5. . . . . . . . . . . . . . . . . . . . . . . . . 83
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
. . . . . . . . . . . . . . . . . . . . . 85
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
, . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92

II. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
6. . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 97

Ethereal/Wireshark . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
libdasm libdisasm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97
Libnet/LibnetNT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
LibPCAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Metro Packet Library . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
PTrace . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98
Python . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99
. . . . . . . . . . . . . . . . . . . . 100
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 108
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

7. . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 117
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
GNU (GDB) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118
. . . . . . . . . . . . . . . . . . . . . 119
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 121
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123

8. : . . . . . 124
iFUZZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131
. . . . . . . . . . . . . . . . . . . . . . 132
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

10

9.  . . . . . . . . . . . . . . . . . . . . . . . . 134
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 158

10.  : . . . . . . . 159
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 160
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 177
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
SQL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
XSS$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
. . . . . . . . . . . . . . . . . . . . . . . . . . . 187
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187

11. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
, . . . . . . . . . . . . . . . . . . . 191
, . . . . . . . . . . . . 192
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . 194
. . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

11

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

12. : UNIX . . . . . . . . . . 200


notSPIKEfile SPIKEfile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 201
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 202
. . . . . . . . . . . . 202

( ) . . . . . . . . . . . . . . . . . . . . 203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205
UNIX . . . . . . . . . . . . . . . . . . . . . . . . 207
UNIX . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
Adobe Acrobat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211
RealNetworks RealPlayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
:
RealPix RealPlayer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214

13. : Windows . . . . . . 215


Windows . . . . . . . . . . . . . . . . . . . . . . . . . 216
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
. . . . . . . . . . . . . . . . . . . . . 222
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223
. . . . . . . . . . . . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
. . . . . . . . . . . . . . . . . . . . 240
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 241

14. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242
? . . . . . . . . . . . . . . . . . . . . . . . . . 243

12

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 245
2: . . . . . . . . . . . . . . . . . . . . . . . 247
3: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
4: . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
5: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 248
6: . . . . . . . . . . . . . . . . . . . . . . . . 249
7: . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . . . . 249
, . . . . . . . . . . . . . 250
. . . . . . . . 251
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 251
( ) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
( ) . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

15. : UNIX . . . . . . . 254


SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 256
SPIKE 101 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
. . . . . . . . . . . . . . . . . . . . . . . . . . . 261
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . 262
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263
SPIKE NMAP . . . . . . . . . . . . . . . . . . . 263
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267

16. :
Windows. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 270
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274

13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 274
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

17.  . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
$? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 286
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 301
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 302

18. : . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
ActiveX . . . . . . . . . . 309
, , . . . . . . . . . . . . . . . . . . . . . . . . . 312
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 316
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 318

19. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319
: ?. . . . . . . . . . . . . . . . . . . . . 320
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321
$ ? . . . . . . . . . . . . . 325
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326
: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327
: . . . . . . . . . . . . . . . . 328
. . . . . . . . . . . . . . . . . . . . . 329
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

20. : . . . . . . . . . . . . . . 332
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

14

Windows . . . . . . . . . . . . . . . . . . . 337
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340

? . . . . . . . . . . . . . . . . . 341

? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344
? . . . . . . . 348

? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
PyDbg, . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 348
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 350
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364

III. . . . . . . . . . . . . . . . . . . . . . . . . . 365
21. . . . . . . . . . . . . . . . . . . . . . . . . . . 367
? . . . . . . . . . . . . . . . . . . . . . 368
. . . . . . . . . . . . . . . . . . . . . . . . . 371
Antiparser. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 371
Dfuz . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373
SPIKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378
Peach . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 381
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 384
Autodafej . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 387
: Shockwave Flash . . . . . 389
SWF . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 391
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 401
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 402
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley: . . . . . . . . . . . . . . . . . . . . . . . . 403
Sulley . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 404
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 406
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 422
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 434

22. . . . . . . . . . . . . . . . . . . . . . . . . . 436
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 436
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 439
$ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 441
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 443
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

15

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 452

23. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 453
. . . . . . . . . . . . . . . . . . . . . . . . 455
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
CFG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 456
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 458
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 462
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 464
PStalker Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 466
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 467
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 468
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 469
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 471
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 472
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 475
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 479
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 481
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 483

24. . . . . . . . . . . . . . . . . . . . . 484
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 485
? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 492
. . . . . . . . . . . . . . . . . . 493
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494
. . . . . . . . . . . . . . . . . . . . . . . . . . 497
: . . . . . . . . . . . . . . . 500
. . . . . . . . . . . . . . . . . . . . . . 502
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

IV. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 505
25. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 507
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 510

16

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 511
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 512
SDLC. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 514
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 515

26. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516
beSTORM Beyond Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 517
BPS$1000 BreakingPoint Systems . . . . . . . . . . . . . . . . . . . . . . . . . . 518
Codenomicon. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 519
GLEG ProtoVer Professional . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Mu Security Mu$4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 521
Security Innovation Holodeck . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 523
. . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . 524
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 525

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 526

$
. ,
$
,
.
,
$
. $
$
,
. $
: , , .
, , $
. $
,
,
. $
.
.
. ,
.

. ,

. $
, , .
, $
.
$
Mac OS X. . $
,
$, .
$
$
. 2003 ,

18

UDP$ $
.
Microsoft WINS.
. , $
UDP
Computer Associates, Norton Ghost $
Mac OS X.
. $
2006
,
$. 2006
ActiveX (AxMan), $
100
Microsoft.
Month of Browser Bugs ( ), $
Metasploit Framework. $
AxMan , $
. , .
.
, , ,
$
. $
,
, $
. ,
, .
!
. .

,
.
$.,
, ,
29 2000


,
. $
, Microsoft Internet Explo$
rer, Microsoft Word Microsoft Excel, 2006 , $
. $
$
.
, , , $
.
, $
, $
, ,
. $
,
. $
,
, , , .


$
. ,
,
, $
.

20

: , $
, ,
.
, $
,

. , $
: ,
. $
. $
(SDLC), .
,
, ,
. , $
$
, ,
. ,
, $
.
SDLC $
, . $
, .


. $
, , , $
. ,
$
.
, , $
.
. $
, ,
.
,
, , .
, ,
. $
.
. $
,
Exploiting Software ( )
(Greg Hoglund) (Gary McGraw),
Hacking Exposed, The Shellcoders Handbook (

21

) (Jack Koziol),
(David Litchfield) .

, , $
. ,
, $
, .
$ ,
, , $
$
.
I $
, .
, , .

, . I

,
.
II . $
$ . $
, ,
, $
.
,
Windows UNIX. , ,
, 11, $
, . 12 $
: UNIX $
UNIX, 13
: Windows
, Windows.
III . ,
, $
, , $
, I II. III $
,
, $
.
, IV , , $
.
, , ,
.

22


,
, .
, ( , ,
) , ,
. $
43$
$ (a.k.a. Dubya). ,
, ,
,
, $
! 1 $
,
, . , , $
, ,
.


. (, ,
The L Word & Fish2 DailyDave.) $
, $
. $
. , , $
.


. (fuzzy) $
. ,
, , , $
.

: www.fuzzing.org
$ fuzzing.org , $
. , ,
, , $
,
. fuzzing.org
$ , $
. $
: .
1
2

http://tinyurl.com/33l54g
http://archives.neohapsis.com/archives/dailydave/2004+q1/0023.html



,
,
. ,
$. $
,
,
, : , , $
. $
, , $
.
(Peter DeVriews) :
. . $
. $
.
, , .
, $
, $
(Charlie Miller), $
.
. . (H. D. Moore) , ,
, . $
Addison$Wesley,
: (Sheri Cain), (Kristin
Weinberger), (Romny French), (Jana Jones)
(Lori Lyons). , $
,
, $
.



.
,

24

$ $
, .
,
, .
iDefense Labs SPI Dynamics, $
. , $
, , $
GOYA, GOMOA $
, $
.


( ),
JTHS, (Mark Chegwidden),
(Louis Collucci), (Chris Burkhart),
sgo, Nadwodny, (Dave Aitel), (Jamie
Breiten), , , Kloub and AE, , $
, , .



, .
(Cody Pierce),
(Cameron Hotchkies) (Aaron
Portnoy), TippingPoint
. (Peter Silberman), $
(Jamie Butler), Xo, (Halvar
Flake) (Ero Carrera) , $
. (David End$
ler), (Ralph Schindler), (Sunil
James) (Nicolas Augello), $
, , . $
, , $
, .



(Michael Sutton) SPI
Dynamics. , $
, $
.
, ,
.
$ (WASC),
$.
SPI Dynamics iDefense/Veri$
Sign, iDefense Labs, $
,
.
(ISAAS)
Ernst & Young.
.
; , ,
. $
.


(Adam Green) $ $
, .
iDefense Labs, ,
.
, $
, UNIX$
.


(Pedram Amini) $
TippingPoint.

26

$
iDefense Labs. ,
, :
, .
( ) $
PaiMei Sulley.
, OpenRCE.org, $
$, .
RECon, BlackHat, DefCon, ShmooCon ToorCon $
,
.
.

1.
2. ?
3.
4.
5.

?
$.,
29 2000

,
, . $
? , $
. ,
$
.
:
, . $
, . $
$
. , $

. , $
$
; . $
$
.
,
, .

, , .

30

1.

$
, $
, , , $
, .
,
.
, ,
.

, ,
.



. , $

,
.



$ . ,
, ,
. $
, $
$

. , $
, .
,
.
, $
C, test
10$ :
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, "test");
}

, $
:
#include <string.h>
int main (int argc, char **argv)


{
char buffer[10];
strcpy(buffer, argv[1]);
}

Microsoft
, $
, $
, 2004 .
, , , $
Mi$
crosoft Windows NT 4.0 Windows 2000. Microsoft $
, .
, $
$
. . $
.
, , CVE$2004$0566,
.bmp.1 $
, Microsoft , , $

.2 ? $
? $
, ,

, $
. ,
. , ,
TinyKRNL3 ReactOS4, $
Microsoft
Windows.
Microsoft, $
, $ $
Windows . Win$
dows ,
$
Windows.
1

2
3
4

http://archives.neohapsis.com/archives/fulldisclosure/2004+02/
0806.html
http://news.zdnet.com/2100+1009_22+5160566.html
http://www.tinykrnl.org/
http://www.reactos.org/

31

32

1.

strcpy(),
. strcpy()
C/C++, $
, .
, ,
, $
.
, test (
) 5, , 10$
, .
$
, .
, $
. $
strcpy() . $
, $
. ,
. $
, . $
, .
, $
, . ,
? : , ,
, , $
. $
. , $
, , ,
, . $
,
. , , $
.


$
: , $
.
(compile time checker)
. ,
$
. /analyze Microsoft Visual C++
.1 Microsoft PREfast for Drivers2,

1
2

http://msdn2.microsoft.com/en+us/library/k3a3hzw7.aspx
http://www.microsoft.com/whdc/devtools/tools/PREfast.mspx

33

$
, .
, $
.
,
$
. , , $
, strcpy(), $
. Cscope1 Linux
Cross$Reference2 .

$
. , $
, . ,
,
, $
. $
, Fortify3, Coveri$
ty4, KlocWork5, GrammaTech6 . . 1.1 $
, ,
, , .
1.1.

RATS (Rough
Auditing Tool
for Security)

C, C++,
UNIX,Win32
Perl, PHP,
Python

http://www.fortifysoftware.com/
security+resources/rats.jsp

ITS4

C, C++

UNIX,Win32

http://www.cigital.com/its4/

Splint

UNIX,Win32

http://lclint.cs.virginia.edu/

Flawfinder

C, C++

UNIX

http://www.dwheeler.com/flaw+
finder/

Jlint

Java

UNIX,Win32

http://jlint.sourceforge.net/

CodeSpy

Java

Java

http://www.owasp.org/software/
labs/codespy.htm

1
2
3
4
5
6

http://cscope.sourceforge.net/
http://lxr.linux.no/
http://www.fortifysoftware.com/
http://www.coverity.com/
http://www.klocwork.com/
http://www.grammatech.com/

34

1.

,
. $
.
. , $
, ,
, , ,
, . , , ,
Rough Auditing Tool for Security (RATS)
, . RATS
: $
strcpy(). $
.

, ,
.
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000131 seconds
53435 lines per second
Entries in perl database: 33
Entries in python database: 62
Entries in c database: 334
Entries in php database: 55
Analyzing userinput.c
userinput.c:4: High: fixed size local buffer
Extra care should be taken to ensure that character arrays that
are allocated on the stack are used safely. They are prime targets
for buffer overflow attacks.
userinput.c:5: High: strcpy
Check to be sure that argument 2 passed to this function call will not copy
more data than can be handled, resulting in a buffer overflow.
Total lines analyzed: 7
Total time 0.000794 seconds
8816 lines per second

35


, $
. ?
, . ,
, $
. ,
Microsoft Windows $
. ?
. , $
. $
. , , $
, $
.
. ,
.
:
. $
. , $
, , .
, $
.

, $
.
. . $
UNIX , $
, Win32, $
. $
$
.


, , $
. $
, , , $
, $
.
$ $.
HTML XML, $$
,
, .
:
Microsoft Office, $

36

1.

, , $
. ,
.
, $
. $
, .


, $.
$. $
$
, .
$
, $
, SQL$.
, $
, ( $
). ,
, (sweeping), $
. ,

. ,
LDAP, $
LDAP , . , $
, $
, .

CreateProcess() , $
Microsoft Windows (API). $
, CreateProcess()
.1 :
BOOL CreateProcess(
LPCTSTR lpApplicationName,
LPTSTR lpCommandLine,
LPSECURITY_ATTRIBUTES lpProcessAttributes,
LPSECURITY_ATTRIBUTES lpThreadAttributes,
BOOL bInheritHandles,
DWORD dwCreationFlags,
1

http://msdn2.microsoft.com/en+us/library/ms682425.aspx

LPVOID lpEnvironment,
LPCTSTR lpCurrentDirectory,
LPSTARTUPINFO lpStartupInfo,
LPPROCESS_INFORMATION lpProcessInformation
);

,
lpApplicationName NULL, ,
, $
lpCommandLine. , , Create
Process():
CreateProcess(
NULL,
"c:\program files\sub dir\program.exe",
...
);

CreateProcess() $
, :
c:\program.exe
c:\program files\sub.exe
c:\program files\sub dir\program.exe

, $

. , program.exe $
c:\,
CreateProcess() pro$
gram.exe. $
, .
2005 1, $
$
CreateProcess().
$
. ,
(, notepad.exe)
c:\.
. $
, , , Cre
ateProcess().
1

http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=340

37

38

1.

,
, , , $
, $
. 2 ?
. , $
,
( ), .
,
,
. $
$, . 1.1.

. 1.1. +

Microsoft?
.
2005 The Trustworthy Computing Security Deve$
lopment Lifecycle document (SDL)1 , Microsoft

. SDL
, $
, $
, $
. SDL
,
. $
, $
SDL,
.
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/
dnsecure/html/sdl.asp

39

, Name () $
, Age () .
,
? $
ASCII? $
? ? $
$
. $
, .
, , .
. $
, ,
,
.


, ,
. :
.
, , ,
.
. $
, , , $
, FTP$, $
FTP$.
. , (reverse
code engineering, RCE), , $

.
, $
, $
, ,
$ , , .
$
. , :
. $
, , ,
. $
23 .
. , $
, .
, , $
; $
, .

40

1.

$
,
RCE.


, $
, $
(reverse code engineer$
ing RCE). , $
$
. ,
, , $
. $
, . $
, .

.


RCE ,
RCE , $
. RCE
. $
,
$
, ,
().
$
.
,
, $
, ,
. , ,
. $
,
. , $
. $
, , .
, $
, , $
().
, . $
,
, , DataRescues Interac$

41

tive Disassembler (IDA) Pro1, . 1.2. IDA


, Win$
dows, UNIX MacOS
.
$
, .
,
$
. , $
, , , $
, $
, .
, (, C C++), $

. Boomerang.2 $
,
(, C#), $
, $
.
,
, $

. 1.2. DataRescue IDA Pro


1
2

http://www.datarescue.com
http://www.boomerang.sourceforge.net/

42

1.

. $
$
. Win32
OllyDbg1, . 1.3, Microsoft
WinDbg ( wind bag, , ).2
WinDbg Debugging Tools for Windows3,
Microsoft. OllyDbg $
,
. $
, $
OllyDbg.4 UNIX
, $
GNU Project Debugger5 (GDB). GDB $
UNIX/Linux.

. 1.3. OllyDbg

1
2
3
4
5

http://www.ollydbg.de/
http://www.openrce.org/forums/posts/4
http://www.microsoft.com/whdc/devtools/debugging/default.mspx
http://www.openrce.org/downloads/browse/OllyDbg_Plugins
http://www.gnu.org/software/gdb/gdb.html

43


,
RCE
. , , $
, IDA Pro, $
. . 1.2 .
1.2.

LogiScan

LogicLibrary

LogicLibrary BugScan
2004 , $

Logidex SDA

BugScam Halvar Flake

BugScam $
IDC IDA Pro, $

,
$
$
.
$
BugScan

Inspector HB Gary

Inspector $
RCE,

RCE,
IDA Pro OllyDbg

Security$ Veracode
Review

VeraCode $
$
. $
$
,
Coverity.
Vera$
Code $
,

BinAudit SABRE Security

$
BinAudit . $
$$
SABRE Security
IDA Pro, $
$

, $
, $
. .

44

1.


, $
, $
RCE. ,
, . :
. $ $
, .
. , $
, $
.
:
. RCE , $
$
.

$
, . $
, .
, ,
$
. $
, , $
, $
RCE.
$
.
,
$
.
.
, , .
, $
, .
$
, RCE.

, $
. $

.

2
?
.
$.,
, ,
6 2000

,
, $
. ,
.

. $
, ,
$ , $
$.


fuzzing
$, , $
. $
$
$. $
.
(bo$
undary value analysis, BVA)1,
1

http://en.wikipedia.org/wiki/Boundary_value_analysis

46

2. ?


, $
. BVA $
, $
,
. BVA, $
, ,
.


.
$
, , $
. , , (very generic) , $
. $
: ,
, , $
, $
.
. 3
$
.
$
. ,
. ,
, , $
. , $
, $
, , $
. $
, .
, $
.
, , $
,
. ,
.
, $
$
, , $
. , ,
.
$
!

47


,
1989 . (Barton Miller) ( $
) , $
, $
UNIX.1 $
,
. $
, setuid $
. 1995 $
UNIX .
1995 ,
$ .
, ,
. , ,
, .

, . . .
, , ,
.
1999
PROTOS. PROTOS $
: ,
, ,
, .
, $
. $

, $
.
2002 Microsoft $
PROTOS2, 2003 PROTOS $
Codenomicon (Codenomicon) ,

. $ $
, , $
,
.3
Codenomicon
26 .
1
2
3

http://www.cs.wisc.edu/~bart/fuzz/
http://www.ee.oulu.fi/research/ouspg/protos/index.html
http://www.codenomicon.com/products/features.shtml

48

2. ?

PROTOS 2002
SPIKE1, $
GNU (GPL). $
2 $
. SPIKE ,
.
. SPIKE
, ,
. SPIKE
,
. Sun RPC Microsoft RPC
,
. SPIKE $

. $
, 21 $
.
, SPIKE,
UNIX, (sharefuzz). $
, , $
. ,
. $
,
( $
), , .
SPIKE
. $
(Michal Zalewski)3 ( lcamtuf) 2004
$
(mangleme)4 CGI, $
HTML,
$. $
. . . (Aviv Raff) Hamachi5
HTML (DHTML),
(Matt Murphy) (Therry Zol$
ler) CSSDIE6 $
(CSS).
1
2

3
4
5
6

http://immunityinc.com/resources+freesoftware.shtml
http://www.immunityinc.com/downloads/advantages_of_block_based_analy+
sis.html
http://lcamtuf.coredump.cx/
http://lcamtuf.coredump.cx/mangleme/mangle.cgi
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html

49

2004 . Microsoft $
MS04$028, $
, JPEG.1 $
,
$ , $
Microsoft . $
,
.
, $
. $
$.
? , $
, Microsoft,
Microsoft Office,
. $

, $
.
Black Hat 2005 2 $
, ,
, File Fuzz,
SPIKEfile notSPIKEfile.3
2005 Mu Security
,
.4
$
. $
, ,
5,
(Gadi Evron). ,
.
ActiveX 2006 , $
COMRaider, . . AxMan.6 $
ActiveX, $
$
Microsoft Internet Explorer.
, $
. ActiveX, ,
1
2
3
4
5
6

http://www.microsoft.com/technet/security/bulletin/MS04+028.mspx
http://www.blackhat.com/presentations/bh+usa+05/bh+us+05+sutton.pdf
http://labs.idefense.com/software/fuzzing.php
http://www.musecurity.com/products/overview.html
http://www.whitestar.linuxbox.org/mailman/listinfo/fuzzing
http://metasploit.com/users/hdm/tools/axman/

50

2. ?

,
, $
, $
. ActiveX $
17 $$
18 $: .
,
, . $
. 2.1, .
,
. $
,
$
.
.
, , $
, , $
.
$
$.

1999
2002


Black Hat

SPIKE
PROTOS

2000

2001

2002

2005
Black Hat
File
Fuzz, SPIKEfile
notSPIKEfile

2003

2005


(Codenomicon,
Mu Security . .)

2004

2005

2006

2006


ActiveX: COMRider

AxMan . .

2007

1989 1989 1999






UNIX


1989

2007

PROTOS SNMP
2002

. 2.1.


(lcamtuf)

Mangleme
2004

. . ,

Hamachi
CSSDIE
2006

51


? $
. ,
. ,
, , .

:
1. . $
. $
$
, .
,
. $
$
. , Securi$
tyFocus1 Secunia2, . $
$, ,
, , , $
, . $
,
. ,
, $
, $
$ .
2. .
, $
$
.
. $
$
. $
. $
, . $
, , ,
. . ,
.
3. . $
, . $
, ,
,

1
2

http://www.securityfocus.com/
http://secunia.com/

52

2. ?

. $
.
4. . $
. .
,
.
. $
.
5. . , $
,
. $ 10 000 $
, $
, . $
;
.
6. . $
$
, .
$
. , $
,
.
. 2.2.

; $
.

. 2.2.

53

.
, , , 100%
. $
, , , .


$
. $
. ,
.


,
, $
. , , $, $
. $
, .
. $
. $
, $
.
, $
. $
,
,
. $
. $
,
. ? , .
,
.
, , , $
$
.


$
. , , ,
Veritas Backup Exec, $
Windows, ,
.1 , ,

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=269

54

2. ?

. $ $
, TCP RPC,
, $
.
.
, , , $

Microsoft (Microsoft Interface Description Language, IDL), $
$
.

RPC ,
, , $
. , $
ActiveX 18 $: $
, $
, , .
, .


,
,
, , . $
, $
. , , $
, ,
, $
. , $
, , $
, .


.
,
. ,
, $
. , , , $
, $
.
. , $
x86 Linux , %n,
:
mov %ecx,(%eax)

55

$
, %n,
, $$
.
SIGSEGV. $
SIGSEGV, $
.
.
( ) $ $
, , , $
SIGSEGV.
, ; $
, ,
? , $
, , $
.
, .
$
.


, $
.
. $
,
, $
. ,
$
,
.

, $
,
. , ,
. ,
, $
. $
, .


.
.
$.,
$, ,
6 2004

.
$
.
, . $
, $
. $
II .


, $
: , $
, +
, ,
.
.
,
, .

57


, $
(pregenerated test cases) $
PROTOS. $
, , $
$
.
, $
. $
, $
. $
,
, ,
$
.
$
, . $
, $
.


, , , $
,
. $
$
,
. $
,
while [ 1 ]; do cat /dev/urandom | nc vv target port; done

Linux$$
urandom ,
netcat. while , $
.
, ,
. $
! $
, , . $
, 500 000 ,
. , , . , $
, $
. ,
, ,

58

3.

. . 3.1 $
$
,
. ? ,
.
. , .

. 3.1. ? /dev/urandom


, , /dev/urandom.
$
. , . $
,
$
. , , , $
. ,
.
$.

59

,

, , $
$
, , $
.
, $
. , ,
. , $
, . ., ,
, .
,
, $
. , $
. , $
. $
,
, $ $
.
FileFuzz notSPIKEfile Windows Linux .



.
: $
. ,
$
, , $
.
, , ,
.
,
. $
$
, $. $
SPIKE SPIKEfile.
SPIKE $

.
, $
.

60

3.


, , ,
. $
, .
, $
. $
.
, , $
.


UNIX setuid $
. $
,
setuid
.
setuid $
: 1) $
setuid $
; 2) UNIX $
, . , $
.


$
, . ,
1 ,
:
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, argv[1]);
}

setuid,
. , $

setuid, . ,
.

61

:
clfuzz1 warl0ck.
.
iFUZZ2 . $
. $
, $
,
(usage help messages).



setuid.
, , $
:
#include <string.h>
int main (int argc, char **argv)
{
char buffer[10];
strcpy(buffer, getenv("HOME"));
}


,
, . ,

, $

. $
. $
:
Sharefuzz3 . $
. getenv $
.
iFUZZ4 . $
,
. iFUZZ , Sharefuzz,
.
setuid 7
8 $
: .
1
2
3
4

http://warl0ck.metaeye.org/cb/clfuzz.tar.gz
http://fuzzing.org
http://www.immunitysec.com/resources+freesoftware.shtml
http://fuzzing.org

62

3.


, , , $
. , $
, $
, . , $
. $
,
.
. $
, $
$.
, $
.
:
FileFuzz1 .
(GUI) Win$
dows.
notSPIKEfile SPIKEfile2 . UNIX$, $
SPIKE .
PAIMEIfilefuzz3 . FileFuzz,
Windows GUI; PaiMei. PaiMei $
.
11
, 12 :
UNIX 13 :
Windows.


, $
. ,
. $
$
, $, ,
(DNS) . .

.

1
2
3

http://fuzzing.org
http://fuzzing.org
https://www.openrce.org/downloads/details/208

63


$
: . $
.


.
, ASCII.
. $
.
FTP. FTP $
ASCII.
.

$
ASCII. $
, ; $
.

Microsoft (MSRPC): , $
, $
. . $
, . $
:
SPIKE1 . SPIKE
. $
;
API.
Peach2 (Michaei Eddington).
, Python. ,

.
14
, 15 :
UNIX 16 :
Windows.

1
2

http://www.immunitysec.com/resources+freesoftware.shtml
http://peachfuzz.sourceforge.net/

64

3.


$ $
, $
. Web 2.0 ( )
, , $
.1
$ ,
, SQL, XSS . .
, HTTP
. $
$ :
WebScarab2 OWASP. $
.
SPI Fuzzer3 SPI Dynamics. HTTP
$, WebInspect.
Codenomicon HTTP Test Tools4 Codenomicon. $
HTTP.
$ 9 $
10 $ $
: .


$
, , $
$
. $ $
HTML . , $
lcamtuf mangleme, $
,
<META REFRESH>
. $
$
. $
.
$ HTML $
. , $
See$Ess$Ess$Die CSS, COM Raider
COM, Microsoft In$

1
2
3
4

http://www.google.com/a/
http://www.owasp.org/index.php/Fuzzing_with_WebScarab
http://www.spidynamics.com/products/webinspect/index.html
http://www.codenomicon.com/products/internet/http/

65

ternet Explorer. $
. $:
mangleme1 lcamtuf. HTML.
CGI,
HTML.
DOM+Hanoi2 . . . DHTML.
Hamachi3 . . . DHTML.
CSSDIE4 . . , , +
. CSS.
COM Raider5 (David Zimmer). $
COM ActiveX.
COM ActiveX 17
$ 18 $: $
. CSS $
;
, .


$ $
. $
. , $
. $

.
, . , $
. $
, $
. :
.
, ,
$
; .
. $
$
. ,
, $
, $
1
2
3
4
5

http://freshmeat.net/projects/mangleme/
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
http://labs.idefense.com/software/fuzzing.php#more_comraider

66

3.

, , , $
.
:
. $
, ,
.
. $
, $
.
.
. 19 $
20 : ,
.


()
.
,
. $
, ,
, SPIKE Peach.
, $
, $
. $
. , $

, $
. ,
. $
. :
. $
, $
.
. $
,
,

,
.
:
. $
, , ,

67

.
.
. , $
, , ,
.
,
.
.
, $
, , $
.
.

,
,
, $
. $
, .

$
, .
,
.
, $
. ,
, ,
. $
, .

.
$.,
, ,
21 2004

$
. ,
. $
, $
.
, .
, , $
,
. ,
$
.

?
.
,
, . $
, $
. ,
, ,
, , $
. $

69

, $
( $
). , $
, : .
$, 345. $
, , , $
. $
. $
. ,
. ,
.
: ,
, , $
$
.1
;
. , $
,
,
. $
, ,
. $
.
. ,
.
.

.
. , $
, $
,
.
, $
. ,
, , $
. , $

, . $
, $

.
, $
.
1

http://en.wikipedia.org/wiki/Protocol_%28computing%29

70

4.

.
, $
. , $
GIF , $
Microsoft Excel, .
, , $
. , $
. .


,
, $
, . ,
, $
, . $
:
, .

, .
$
, . , $
, $
, CSV ( ), $
$
, , , Microsoft Excel.
XML , ,
; XML
, , $
. ,
$
(< >), $
(=).

.
, Ethernet, $ (IP), $
(TCP)
(UDP), $
, $
. , Ethernet
, MAC$ ( $
), , $
MAC$ .
$
.

71

.
$
.
, $
, . $
$
,
;
, , $
, , $
.


$
, $
,
. , $
IPv6
32 . Intel,
3.41, $
Pentium:

Pentium.
, $
, 69 Pentium
Pro Pentium II. (DCU)
, 32 .
,
DCU, Pentium Pro Pen$
tium II. $
, ,
32 , $
32 ,
$
.1
RISC$ (RISC $
), SPARC, ,

,
.
1

http://download.intel.com/design/intarch/manuals/24281601.pdf

72

4.


(plain text protocol) $
,

ASCII. , , $
, ,
(\r, 0x0D), (\n $
0x0A), (\t, 0x09)
( 0x20).
,
, .
$
, ,
, $
. (FTP) $
.
, , . FTP $
$
. , FTP $
, ,
:
C:\>nc 192.168.1.2 21
220 Microsoft FTP Service
USER Administrator
331 Password required for Administrator.
PASS password
230 User Administrator logged in.
PWD
257 "/" is current directory.
QUIT
221


Netcat1 FTP$ Microsoft. $
FTP$, Netcat
, ,
.
, , ,
, ,
, . , $
.
, ,
.

http://www.vulnwatch.org/netcat/

73


, $
, $
.
$ . $
, $
.
,
$
, , $
, $
AOL (AIM) , ,
, .
, $
.
AIM, $
, $
. AIM
.1
,
$
. AIM OSCAR (
). $
, GAIM2
Trillian3. , ,
Wireshark,
. .
, , $
.
, $
, $
, . $
Google ,
.
Wotsit.org $
$
.
,
AIM. , $
.
1
2
3

http://en.wikipedia.org/wiki/AOL_Instant_Messenger
http://gaim.sourceforge.net/
http://www.ceruleanstudios.com/

74

4.

AIM , Wireshark
.
. . 4.1 $
Wireshark $
AIM AIM. ,
.
AOL, $
. , $
AIM Signon (0x0017) $
Signon (0x0006).

. 4.1. AIM Signon:


AIM Signon, Sign$on. $
(0x0001), (fuzz$
ingiscool) (13). $
. , $
.
, $
. , $
, ($
). $
,

75

,
. $
. , , $
,
;
.
, SPIKE1, .
. 4.2,
(3740020309). AIM$
, $
. , $
,
.

. 4.2. AIM Signon:

. 4.3 ,
,
. $
, ,
,
.

http://www.immunitysec.com/resources+freesoftware.shtml

76

4.

. 4.3. AIM Signon:

,
. $
(), $
AOL, 5.5.3591/WIN32.
.


FTP AIM
. ,

77

. , $
, , ,
,
. :
, . $
.
?
.
$
$
, . $
$ $
, ,
, $
. , $
, , $
$
. $
(IETF).1 IETF $

:
(RFC), $ $
, , $
. RFC $
IETF .


, , $
$
. , $
Microsoft Office. Microsoft
$
, Microsoft Office, Excel PowerPoint.
, OpenDocument (ODF)2,
OpenOffice.org
OASIS ( $
).3 OASIS , $

,
.

1
2
3

http://www.ietf.org/
http://en.wikipedia.org/wiki/OpenDocument
http://www.oasis+open.org

78

4.

OASIS Microsoft
2005 Mi$
crosoft Office, , Microsoft
Office Open XML.1 $
, ODF. Microsoft
Open XML Translator2

XML.
$
$
, OpenOffice Writer Microsoft Word 2003.
, fuz$
zing, , . $
OpenOfficeWriter OpenDocument Text
(*.odt). $
, . , $
*.zip , ,
XML, ,
$
:
Directory of C:\Temp\fuzzing.odt
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006
07/18/2006

12:07 AM <DIR>
.
12:07 AM <DIR>
..
12:07 AM <DIR>
Configurations2
04:05 AM
2,633 content.xml
12:07 AM <DIR>
METAINF
04:05 AM
1,149 meta.xml
04:05 AM
39 mimetype
04:05 AM
7,371 settings.xml
04:05 AM
8,299 styles.xml
12:07 AM <DIR>
Thumbnails
5 File(s)
19,491 bytes
5 Dir(s) 31,203,430,400 bytes free

$
. XML,
.
Content.xml , , $
, $
, ,
, $
(fuzzing):

1
2

http://www.microsoft.com/office/preview/itpro/fileoverview.mspx
http://sev.prnewswire.com/computer+electronics/20060705/
SFTH05506072006+1.html


<?xml version="1.0" encoding="UTF8"?>
<office:documentcontent
xmlns:office="urn:oasis:names:tc:opendocument:xmlns:office:1.0"
xmlns:style="urn:oasis:names:tc:opendocument:xmlns:style:1.0"
xmlns:text="urn:oasis:names:tc:opendocument:xmlns:text:1.0"
xmlns:table="urn:oasis:names:tc:opendocument:xmlns:table:1.0"
xmlns:draw="urn:oasis:names:tc:opendocument:xmlns:drawing:1.0"
xmlns:fo="urn:oasis:names:tc:opendocument:xmlns:xslfocompatible:1.0"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:dc="http://purl.org/dc/elements/1.1/"
xmlns:meta="urn:oasis:names:tc:opendocument:xmlns:meta:1.0"
xmlns:number="urn:oasis:names:tc:opendocument:xmlns:datastyle:1.0"
xmlns:svg="urn:oasis:names:tc:opendocument:xmlns:svgcompatible:1.0"
xmlns:chart="urn:oasis:names:tc:opendocument:xmlns:chart:1.0"
xmlns:dr3d="urn:oasis:names:tc:opendocument:xmlns:dr3d:1.0"
xmlns:math="http://www.w3.org/1998/Math/MathML
xmlns:form="urn:oasis:names:tc:opendocument:xmlns:form:1.0"
xmlns:script="urn:oasis:names:tc:opendocument:xmlns:script:1.0"
xmlns:ooo="http://openoffice.org/2004/office"
xmlns:ooow="http://openoffice.org/2004/writer"
xmlns:oooc="http://openoffice.org/2004/calc"
xmlns:dom="http://www.w3.org/2001/xmlevents"
xmlns:xforms="http://www.w3.org/2002/xforms"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchemainstance"
office:version="1.0">
<office:scripts/>
<office:fontfacedecls>
<style:fontface style:name="Tahoma1" svg:fontfamily="Tahoma"/>
<style:fontface style:name="Times New Roman"
svg:fontfamily="&apos;Times New Roman&apos;"
style:fontfamilygeneric="roman"
style:fontpitch="variable"/>
<style:fontface style:name="Arial"
svg:fontfamily="Arial"
style:fontfamilygeneric="swiss"
style:fontpitch="variable"/>
<style:fontface style:name="Lucida Sans Unicode"
svg:fontfamily="&apos;Lucida Sans Unicode&apos;"
style:fontfamilygeneric="system"
style:fontpitch="variable"/>
<style:fontface style:name="Tahoma"
svg:fontfamily="Tahoma"
style:fontfamilygeneric="system"
style:fontpitch="variable"/>
</office:fontfacedecls>
<office:automaticstyles/>
<office:body>
<office:text>
<office:forms form:automaticfocus="false"
form:applydesignmode="false"/>

79

80

4.
<text:sequencedecls>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Illustration"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Table"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Text"/>
<text:sequencedecl text:displayoutlinelevel="0"
text:name="Drawing"/>
</text:sequencedecls>
<text:p text:stylename="Standard">fuzzing</text:p>
</office:text>
</office:body>
</office:documentcontent>

Microsoft Word 2003, $


Word (*.doc).
, , , ,
OpenDocument (20 7 ).
, $
, , $
.
, , $
, , , $
:
00000a00h:

000024d0h:
000024e0h:
000024f0h:
00002500h:

00002560h:
00002570h:

66 75 7A 7A 69 6E 67 0D 00 00 00 00 00 00 00 00 ; fuzzing.........
66
00
61
64

75
00
65
72

7A
00
6C
61

7A
00
2C
6D

69
1E
20
00

6E
00
41
00

67
00
64
00

00
00
61
00

1E
1C
6D
1E

00
00
20
00

00
00
61
00

00
00
6E
00

04
4D
64
04

00
69
20
00

00
63
50
00

00
68
65
00

;
;
;
;

fuzzing.........
............Mich
ael, Adam and Pe
dram............

4D 69 63 72 6F 73 6F 66 74 20 4F 66 66 69 63 65 ; Microsoft Office
20 57 6F 72 64 00 00 00 40 00 00 00 00 00 00 00 ; Word...@.......


?

. $
, , $
. $
, .


$
(, =12),
.

81

Content.xml,
XML.
$
, $
, .


, $
, . $
. $
AIM AIM Signon $
(0x0001) . $
, ,
AOL. $
, , , $
, $
.


$
, , $
, $
, .
, ,
, . $
$ . , $
,
, .



, $
, .
;
,
,
$
. PNG
, . $
,
, $
,
.

82

4.


, $
,
.
, ,
,
, . $
$
, , ,
, $
, . 22

.

,
.
$.,
, ,
21 2001


.
, $
. ,
, $
. $
, .
,
, , $
, , . , II
, , $
,
. , , $
,
,
, 12
: UNIX. $
, , $
, .

84

5.


,
$
. , $
.
$
, , ,
. $
. $
POST
, $
. $
$ , $
. ? , . $
, . , $
, $ . ,
$ ,
. $
, $
.
,
. $
$
1, $
. , $
$ $
.2
: , , , $

.
.
.
, , , $
, $
. , $
.

http://www.outsourceworld.org/, http://money.cnn.com/2003/09/17/news/
economy/outsourceworld/
Computer Science Students Outsource Homework, http://developers.slash+
dot.org/developers/06/01/19/0026203.shtml

85


,
,
. $
,
, . $
, ,
JPEG Microsoft Paint. $
, ,
, , ,
. 5.1.

JPEG

1.jpg

2.jpg
3.jpg

Microsoft
Paint

4.jpg
...

. 5.1.

JPEG $
JPEG. $
, $
Microsoft Paint
. ,

Microsoft Paint. $
,
.
,
. , $
, .
, , (SMTP),
(SIP) $
IP (VoIP):

86

5.
Excerpt of an SIP INVITE Transaction
49
6f
32
30

4e
70
2e
2f

56
65
30
55

49
6e
0d
44

54
72
0a
50

45
63
56
20

20
65
69
70

73
2e
61
61

69
6f
3a
6d

70
72
20
69

3a
67
53
6e

72
20
49
69

6f
53
50
4c

6f
49
2f
2e

74
50
32
75

40
2f
2e
6e

INVITE sip:root@
openrce.org SIP/
2.0..Via: SIP/2.
0/UDP voip.openr


, , $
( , $
). ,
,
,
?
, $
, , $
.


$
, :
. (. 5.2).
($
, ), , $
PIN$, ,
, $
. $
,

PIN

. 5.2.

87

. $
. $
,
. ,
, . ,
, . ,
, $
, PIN$.

SSH ( ). $
.
. $
, .
,
.
SSH, ,
. 5.3.

. 5.3. SSH

,
, $
. $
,
. $
.
MAIL FROM SMTP,
HELO EHLO. . 5.4,
SMTP MAIL
FROM , ,
.

88

5.

HELO openrce.org

SMTP

MAIL FROM:pedram@openrce.org

HELO openrce.org

. 5.4. 1 SMTP

. 5.4 1 , $
MAIL FROM.
. 5.5: SMTP $
MAIL FROM $
.

SMTP

HELO openrce.org

MAIL FROM:pedram@openrce.org

HELO openrce.org

MAIL FROM:pedram@openrce.org

. 5.5. 2 SMTP

. 7 2006 $
1, $
SMTP Ipswitch Collaboration Suite.
$ @ :
. $
,
EHLO. $
, . $
, $
EHLO HELO.
?
.

http://www.zerodayinitiative.com/advisories/ZDI+06+028.html

89

,
,
.

,

, $
, . $
, , , $
,
.
. (quality assurance, QA) $
, , $
. $
QA $, , $
, $
90% ,
25% . $
,
$
, . $
23 .
$
, , $
.
: ? ,
: ?



. $
, . ,
, $
, , $
. $
, , $
, , . (ping)

, . $
, .
ASCII, $
,
, , Windows Event Viewer, . 5.6.

90

5.

. 5.6. Microsoft Windows Event Viewer

,
.
,
. , ,
, Microsoft Windows $
,
(Structured Exception Handling,
SEH).1
$
$ ,
. , $
FileFuzz, II, $
Microsoft Windows $
. $
,
, . ,
SMTP, Mac OS X, Microsoft Windows
Gentoo Linux, , ,
. , $
$ ,
, . VoIP,
1

http://msdn2.microsoft.com/en+us/library/ms680657.aspx

91

$
, $
.
,
DBI1 (dynamic binary instrumentation/translation) Valgrind2
Dynamo Rio3.
, $ .
DBI
$
$ . $
, $
, . .
, ,
, , $ $
, .
, , $
,
. Valgrind $
, $
, .

.
,
, $
.


, (, $
), .
. , $
,
, $
, $50 .
$
(software development lifecycle, SDLC)
. $
, .
, , $
. , SDLC $
, ,
1
2
3

http://en.wikipedia.org/wiki/Binary_translation
Valgrind: http://valgrind.org/
Dynamo RIO: http://www.cag.lcs.mit.edu/dynamorio

92

5.

. ,
, ,
, , .
,
,
,
. ,
SDLC .

,
$
.
, $
.
; $
, $
$
.

II

6.
7.
8. :
9. $
10. $ :
11.
12. : UNIX
13. : Windows
14.
15. : UNIX
16. : Windows
17. $
18. $:
19.
20. :

.
,
, .
$.,
, ,
5 2004

.
$
.
$
, . $

, . $
,
,
$

.


, $
, .

96

6.

, .

, , , , $
,
.
,
.
,
, $
. ,

, Java, .NET Python. $
,

. $ $
$

, .

,
. $
,
. ,
$
, $

.
. $
, :

FTP$,
, FTP$,
.

FTP$.

, $
, $
, . $
, $
, , .
, $
, $
. ,

97


, .


$

, .1 ,
,
. $
(
).

Ethereal2/Wireshark3
Wireshark ( Ethereal)4 $
.
,
, $
. Wireshark $
,

. , , , $
, ,
. $
$
, Wireshark. $
Wire$
shark, , Ethernet.5

libdasm6 libdisasm7
libdasm, libdisasm $
;
at&t Intel $
. Libdasm , libdisasm Perl. Libdasm
Python. $
,
1
2
3
4
5
6
7

http://www.threatmind.net/secwiki/FuzzingTools
http://www.ethereal.com
http://www.wireshark.org
http://www.wireshark.org/faq.html#q1.2
http://anonsvn.wireshark.org/wireshark/trunk/epan/dissectors/
http://www.nologin.org/main.pl?action=codeView&codeId=49
http://bastard.sourceforge.net/libdisasm.html

98

6.

.
: 12 $
: UNIX, 19
, 20 : $
, 23 24 $
.

Libnet1/LibnetNT2
Libnet $
;
.
, $
IP ,
. $
, .

LibPCAP3
LibPCAP Microsoft Windows WinPCAP4 $
;

UNIX Microsoft Windows. $
, Wireshark, $
.

Metro Packet Library5


Metro Packet Library , C# $
Ipv4, TCP, UDP $
(ICMP). $
.
16 $
: Windows.

PTrace
UNIX
ptrace() ( ). $
ptrace() , , $
.

1
2
3
4
5

http://www.packetfactory.net/libnet
http://www.securityfocus.com/tools/1559
http://www.tcpdump.org
http://www.tcpdump.org/wpcap.html
http://sourceforge.net/projects/dotmetro

99

,
8 :
12 : UNIX.

Python
Python
. Pcapy, Scapy PyDbg.
Pcapy1 Python, LibPCAP\WinPCAP $
Python . Scapy2
, $
, .
Scapy ,
. PyDbg3 32$ Py$
thon Microsoft Windows,
. PyDbg $

PaiMei4, 19, 20,
23 24.
$
. $ $
. , $
,
, .


$

;
, : .
.
, $
. $
,
.
$
,
.

1
2
3
4

http://oss.coresecurity.com/projects/pcapy.html
http://www.secdev.org/projects/scapy
http://openrce.org/downloads/details/208/PaiMei
http://openrce.org/downloads/details/208/PaiMei

100

6.


,
: $
. , ++, $
.
, Libnet
.
, Python Ruby,
; $
. $
,
. ,
, , $
, , .
Java, PHP
C# .


, , $
. , $
. , , $
IMAP.
IMAP, ,
(CCR),
RCF 3501.1
7.5.
+
. ,
.
.

, .
,
.
,
.
.
, CRLF, ,
. 
,
:

http://www.faqs.org/rfcs/rfc3501.html

101

: C: A001 LOGIN {11}


S: + Ready for additional command text
C: FRED FOOBAR {7}
S: + Ready for additional command text
C: fat man
S: A001 OK LOGIN completed
C: A044 BLURDYBLOOP {102856}
S: A044 BAD No such command as "BLURDYBLOOP"
...

RFC , {} ($
),
, .
, $
? $
? , ,
32$ 0xFFFFFFFF
(4,294,967,295).
, 136 !
$
100 ,
500 .
IMAP , $
. , $
,
.

$
.
,
.


(0 0xFFFFF$
FFF) $
.
? , $
. $
,
,
, :
int size = read_ccr_size(packet);
// save space for NULL termination.
buffer = (char *) malloc(size + 1);

,
. ,

102

6.

, $
. , $
(, $
32$ ) $
(, )
, $
, ,
0xFFFFFFFF$1, 0xFFFFFFFF$2, 0xFFFFFFFF$3 1, 2, 3, 4 . .
$
. , , ,
Unicode. $
2. $
, :
int size = read_ccr_size(packet);
// create space for the Unicode converted buffer
// plus Unicode NULL termination (2 bytes).
buffer = (char *) malloc((size * 2) + 2);


,
: 0xFFFFFFFF/2,
0xFFFFFFFF/2$1, 0xFFFFFFFF/2$2 . .
, 3? 4? , $
, $
16$ (0xFFFF)?
8$ (0xFF)?
.
:
MAX32 16 <= MAX32 <= MAX32 + 16;
MAX32 / 2 16 <= MAX32 / 2 <= MAX32 / 2 + 16;
MAX32 / 3 16 <= MAX32 / 3 <= MAX32 / 3 + 16;
MAX32 / 4 16 <= MAX32 / 4 <= MAX32 / 4 + 16;
MAX16 16 <= MAX16 <= MAX16 + 16;
MAX16 / 2 16 <= MAX16 / 2 <= MAX16 / 2 + 16;
MAX16 / 3 16 <= MAX16 / 3 <= MAX16 / 3 + 16
MAX16 / 4 16 <= MAX16 / 4 <= MAX16 / 4 + 16
MAX8 16 <= MAX8 <= MAX8 + 16;
MAX8 / 2 16 <= MAX8 / 2 <= MAX8 / 2 + 16;
MAX8 / 3 16 <= MAX8 / 3 <= MAX8 / 3 + 16;
MAX8 / 4 16 <= MAX8 / 4 <= MAX8 / 4 + 16,
MAX32 32$ (0xFFFFFFFF),
MAX16 16$ (0xFFFF), MAX8
8$ (0xFF), 16

103

.

. $
,

100 .

. ,
. $

$
, $
. $
22 $
.


1 2005
,
Novell NetMail IMAPD1, $
. ,
$

.
$
, $
$

MMalloc() (. ):
; ebx is
00402CA2
00402CA5
00402CA6

attacker controlled
lea ecx, [ebx+1]
push ecx
call MMalloc

MMalloc() $
.
,
$
. $
memcpy():
1

http://pedram.redhive.com/advisories/novell_netmail_imapd/

104

6.

; destination is attacker allocated


00402D6E rep movsd
00402D70 mov ecx, edx
00402D72 and ecx, 3
00402D75 rep movsb

, $
,
,
.
Novell
, $
. Novell, IMAP
. ,
1 0xFFFFFFFF, 2 0xFFFFFFFE
. . ,
:
x LOGIN {4294967295}

:
x LOGIN {1}


, 22 2006 Novell $
...1


$
, ,
? 12
:
perl e 'print "A"*5000'

$
. , $
ASCII, B. , $
, $

1
2

http://www.zerodayinitiative.com/advisories/ZDI+06+053.html
, Google: http://www.google.com/search?
hl=en&q=%22perl++e+%27print+%22A%22*%22

105

Microsoft Windows $ ASCII


A B .
, ,
, , $
, $
A. ,
AAAAAAAAAAAAAAAAA.


, $$
, .
. $
$
, $
, ,
. , ,
http$ :
!@#$%^&*()_=+{}|\;:'",<.>/?~`

, $, http?

HTTP$:
HTTP/1.1 200 OK
Date: Sun, 01 Oct 2006 22:46:57 GMT
Server: Apache
XPoweredBy: PHP/5.1.4pl0gentoo
Expires: Thu, 19 Nov 1981 08:52:00 GMT
CacheControl: nostore, nocache, postcheck=0, precheck=0
Pragma: nocache
KeepAlive: timeout=15, max=93
Connection: KeepAlive
TransferEncoding: chunked
ContentType: text/html; charset=ISO88591

, , $
, $
0x0d 0x0a.
. ,
( ), (/) (.)
.
(:) , $
ContentType, Server Date . $
,
(,), (=), (;) ().
$
, $
(. ). , $

106

6.

. , ,
Sendmail (2003 ).1 $
<>, $
. $

:
void parse (char *inbuf)
{
char cpy[16];
char *cursor;
char *delim_index;
int length = 0;
for (cursor=inbuf; *cursor; cursor++)
{
if (*cursor == :)
delim_index = cursor;
else
length++;
}
// 2 for null termination and the : delimiter
if (length < sizeof(cpy)  2)
strcpy(cpy, inbuf);
}

,
(). $
.
length . $

$
,
,
strcpy(). $
, name:pedram amini.
, 16, ,
, strcpy().
: name::::::::::::::::::::::pedram? $
10, , $
strcpy().
,
strcpy(), 32, .

http://xforce.iss.net/xforce/alerts/id/advise142

107


$
; , , $
.
, %d,
10, %08x $
16. $
%s,
%n ( ).
, $
. $

. $
%s , $
, , $
. %s $
.
$
%s%n.



,
%d, %x, %s, ,
%n , $
.
.

$
, $
%n $
.
Microsoft $
%n $
printf. $
_set_printf_count_output()1, $
, %n. $
%n ,
.
1

http://msdn2.microsoft.com/en+us/library/ms175782.aspx

108

6.


, , $
, $
. , 0xFE 0xFF
4 UTF16.

.
,
, $
. , Microsoft Internet Explorer $
UTF$8 Unicode.1 ,
5$ 6$ UTF$8

. $
, , 5$ 6$ $
UTF$8, .

.


$
, $.

$. ,
$,
,
. Mitre CVE 2006 , $

, $
, .2
$, $
$. (OSVDB)

, .3
, , Computer Associates BrightStor
ARCserve backup. BrightStor $
TCP caloggerd. $
, ,
$
. $

1
2
3

http://www.zerodayinitiative.com/advisories/ZDI+06+017.html
http://cwe.mitre.org/documents/vuln+trends.html#table1
http://www.osvdb.com/searchdb.php?text=directory+traversal

109

, $
, $
. $
,
. UNIX, , $
/etc/passwd.
;
2007 .
$
, ../../ ..\..\.


, $
$, $
CGI. $
, $; $

. , $
, $
$
, exec() system(), $
. $
Python:
directory = socket.recv(1024)
listing = os.system("ls /" + directory)
socket.send(listing)

$
, ,
. $
, $
. UNIX $
&&, ; |. , var/lib ; rm rf /
ls /var/lib ; rm rf /, ,
.
.

,
,
.

II III $
. $
,

110

6.

. $
.
,
$, , $
, .
,
. $
, $
. $
, , ,
.


.
$.,
New York Daily News,
23 2002

, .
$
, ,
$
.
$, $
.


. $
, . . , $

.
, .

112

7.


, Windows,
,
. ;
argv, main C. $
argc . $
, , , $
. $
:
int main(int argc,char *argv[])
{
int ix;
for (ix=0;ix<argc;ix++)
printf("argv[%d] == %s\n",ix,argv[ix]);
}


, . 7.1.

. 7.1.


$
. ,

113

. $
, . $
( ) $
, $
. ,
. command.com $
Windows. UNIX $
, sh, csh, ksh bash.

HOME, PATH, PS1 USER. $
, ,
.
, $
, $
, .
, $
getenv, $
. Windows ,
UNIX, UNIX, $
Windows setuid,
, ,
. . 7.2

. 7.2. bash

114

7.

UNIX.
, bash set.
$
export. , , $
, $
.


: $
,
. ,
.
, .
$
.
, , $
, , ,
. $
, $
. $
,
.
,
. $
, , $
. 'su',
UNIX. $
, , $
,
,
$
.
C, , $
su $ :
int main(int argc,char *argv[])
{
[...]
if (argc >1)
become(argv[1]);
else
become("root");
[...]
}

115

,
, $
. . ,
$
? ?



.
. UNIX
, setuid
setgid.
setuid setgid ,
. setuid,
, , . set
gid, $
. , , setuid,
setgid, .
setuid
find,
UNIX .
setuid (setuid binaries) . $
, :
find / type f perm 4000 o perm 2000

find , $
,
.
, find.
, ,
/ . type
find, . ,
, .
perm , . $
o find or. $
setgid setuid, true
. , $
, setuid (4), setgid (2). $
Fedora
Core 4:
[root@localhost /]# find / type f perm 4000 o perm 2000
/bin/traceroute6
/bin/traceroute
/bin/mount

116

7.
/bin/su
/bin/ping6
/bin/ping
/bin/umount
/usr/bin/lppasswd
/usr/bin/gtali
/usr/bin/wall
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/glines
/usr/bin/gnibbles
, gnibbles
/usr/bin/at
...
/usr/bin/gnotravex
/usr/bin/gnobots2
/usr/bin/sudo
/usr/bin/samegnome
/usr/bin/gataxx
/usr/bin/rcp
/usr/bin/mahjongg
/usr/bin/iagno
/usr/bin/rlogin
/usr/bin/gnotski
/usr/bin/chage
/usr/bin/lockfile
/usr/bin/write
/usr/bin/gpasswd
/usr/bin/sshagent
/usr/bin/crontab
/usr/bin/gnomine
/usr/bin/sudoedit
/usr/bin/chfn
/usr/bin/slocate
/usr/bin/newgrp
/usr/bin/rsh
/usr/X11R6/bin/Xorg
/usr/lib/vte/gnomeptyhelper
/usr/libexec/openssh/sshkeysign
/usr/sbin/userhelper
/usr/sbin/userisdnctl
/usr/sbin/sendmail.sendmail
/usr/sbin/usernetctl
/usr/sbin/lockdev
/usr/sbin/utempter
/sbin/pam_timestamp_check
/sbin/netreport
/sbin/unix_chkpwd
/sbin/pwdb_chkpwd

117

UNIX
UNIX
: , .
: $
, , . $
. $
, ,
. , ,
, .
,
:
rxx 2 dude staff 2048 Jan 2 2002 File

dude. ,
. ,
, $
.

, , . $
. ,
: , $
, .
UNIX
.
, . . 0 7.
4, 2, 1.
, .
, , $
, , , 666.
dude 510:
(5) = (4) + (1), (1) = (1), $
(0), . . .
setu
id setgid. setuid 4, setgid 2. $
, setuid setgid 6,755.
, ,
, .



; ASCII,
. $
HOME

118

7.

, , .
Perl, UNIX
:
HOME=`perl e 'print "X"x10000'` /usr/bin/target

,
HOME. , ,
, HOME. $
, ?
, ?


, $
.
, getenv
. getenv $
getenv,
.
,
.

GNU (GDB)
, . $
GDB getenv
. GDB
Solaris 10:
(08:55AM)[user@unknown:~]$gdb q /usr/bin/id
(no debugging symbols found)...(gdb)
(gdb) break getenv
Function "getenv" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (getenv) pending.
(gdb) commands
Type commands for when breakpoint 1 is hit, one per line.
End with a line saying just "end".
>silent
>x/s $i0
>cont
>end
(gdb) r
Starting program: /usr/bin/id
[...]
Breakpoint 2 at 0xff2c4610
Pending breakpoint "getenv" resolved
(no debugging symbols found)...


0xff0a9064:
0xff0a9078:
0xff24b940:
0xff351940:
0xff351948:
0xff3518d8:
0xff3518e4:
0xff3518f0:
0xff3518f8:
0xff351904:
0xff351910:
uid=100(user)

119

"LIBCTF_DECOMPRESSOR"
"LIBCTF_DEBUG"
"LIBPROC_DEBUG"
"LC_ALL"
"LANG"
"LC_CTYPE"
"LC_NUMERIC"
"LC_TIME"
"LC_COLLATE"
"LC_MONETARY"
"LC_MESSAGES"
gid=1(other)

Program exited normally.


(gdb)

, GDB,
:
break $
. , $
getenv.
commands , $
.
i0 , x/s.
SPARC i0 ,
.
,
.
run, .
11 $
, /usr/bin/id. ,
, $
, , , $
$ . $
, $eax x86, $i0 SPARC $a0 MIPS.
, , , $
.


, $
, $
. ,
getenv. $
getenv , $

120

7.

getenv.
.
getenv.
environ, $
. environ , $
. ,
; , NULL, ,
:
extern char **environ;
char *getenv(char *variable)
{
int ix=0;
while (environ[ix])
{
if ( ! ( strncmp(string,environ[ix],strlen(string))) &&
(environ[ix][strlen(string)] == =) )
{
printf("%s\n",environ[ix]+strlen(string)+1);
return environ[ix]+strlen(string)+1;
}
ix++;
}


(preloading) . $

, , $
. $
,
.
. $
. $
, ,
. , $
. ,
strcpy $
,
strcpy, strcpy. $
,
. $
.
getenv; $
.
getenv; $
. $

121

,
getenv:
#define BUFFSIZE 20000
char *getenv(char *variable)
{
char buff[BUFFSIZE];
memset(buff,A,BUFFSIZE);
buff[BUFFSIZE1] = 0x0;
return buff;
}

, $
. environ, $
.
GRL$ sharefuzz, $
$
setuid. $,
C $
($
, , ). Linux $
:
gcc shared fPIC o my_getenv.so my_getenv.c
LD_PRELOAD=./my_getenv.so /usr/bin/target

/usr/bin/target, getenv
getenv.


, ,
, , $
. , . $
, $
.
, $
,
. $
.
.
. UNIX Linux, $
$ , $
128 . , $
139, SIGSEGV $
11. $ , $
132, SIGILL 4.

122

7.

: 132 139,
.
, , . SIGABRT $
glibc
. ,
(dump core).
$ (heap),
.
, $
, .
, C ,
, , wait waitpid.
: fork execve $
wait waitpid . $
,
, wait waitpid.

iFUZZ, .
, $
( $
),
signal. $
API, $
, $
. UNIX
ptrace. fork ptrace execve
waitpid ptrace
, , $
, .
waitpid, ,
.
waitpid, , . $
,
. $
ptrace. , SPIKEfile
notSPIKEfile, $
. $
12 :
UNIX. , $
.
ptrace $
. UNIX setuid $
, SIGSEGV SIGILL. , $
ptrace, ,
.

123

, ,
.
$
, $
UNIX C. $
getenv.

,
.
$
,
, $
.

8

:

+ !
$.,
, ,
24 2004

iFUZZ ,
.
UNIX c
setuid, 7 $
. iFUZZ,
, iFUZZ
IBM
AIX 5.3.

iFUZZ
iFUZZ , $
.
;
C, ;
, .
iFUZZ , $
UNIX , $
UNIX. IRIX,

iFUZZ

125

HP$UX, QNX, MacOS X, AIX.


:
argv.
, .
argv[0] argv[1] .
:
, , .
, ,
, $
, .
/ .
; $
,
. $
. iFUZZ
a Z,
./target a FUZZSTRING

FUZZSTRING , $
iFUZZ. $
, ,
, , , $
.
getopt. $
: , $
getopt, $
, $
. $
,
.

. , , , $
$
$
f. usage $
, :
$ ./sample_program
Usage:
f <file> Input filename
o <file> Output filename
v Verbose output
d Debug mode
s Silent mode

, $
, getopt , , $

126

8. :

f:o:vds. , f o $
, v, d s . $
? getopt:
options , +
, .
(:),
, . +
(::),
, ; GNU.
iFUZZ getopt,
. iFUZZ
, $
, ,
.
iFUZZ
.
, , ,
$ . . ;
, .
iFUZZ getenv $
. ,
, .
sharefuzz :
, $
. $
iFUZZ, .
getopt,
getopt $
. ,
C; $
. , $
$
.
getopt , $
usage.

, , $
. $
iFUZZ, $
fuzzing.org, $
.

127


iFUZZ :
, , .

. $
, .
, $
, argv[0]. $
,
argv[0],
, QNX,
Linux AIX. $
.
$
, $
,
. , $
$
argv[0]:
int main(int argc,char *argv[])
{
if (argc >1) printf(argv[1]);
exit(0);
}


, $
.


,
. 1999
proftpd 1.2.opre6
(Tymm Twillman) $
BugTraq1,
. $
$ snprintf(),
.2
1
2

http://seclists.org/bugtraq/1999/Sep/0328.html
http://en.wikipedia.org/wiki/Format_string_attack

128

8. :

. $
,
UNIX. $
. ,

. $
.
, iFUZZ
, ,
, $
. :
getopt.
: , $
, $
. $
. $
, .
$
getopt. ,
, , $
,
, $
. $
, ,
.
. $
, ,
, $
UNIX ,
.

Fork, Execute Wait


fork ($
), execute () wait ():
[...]
if ((pid = fork ()) != 0)
{
child = pid;
waitpid (pid, &status, 0);
if (WIFSIGNALED (status))
{
switch (WTERMSIG (status))
{
case SIGBUS:
case SIGILL:

129

case SIGABRT:
case SIGSEGV:
fprintf (stderr, "CRASH ON SIGNAL #%d\n",
WTERMSIG (status));
break;
default:
break;
}
}
}
else /* child */
{
execle ("/bin/program","program",NULL, environ);
perror ("execle");
}
[...]

Fork, Ptrace/Execute
Wait/Ptrace
, ,
, $
, $
. notSPIKEfile SPIKEfile, $
12
: UNIX:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
waitpid (pid, &status, 0);
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}

130

8. :
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii
(WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal...\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) ==SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,
(WSTOPSIG (status) == SIGTRAP) ? 0 :
WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}

iFUZZ C.
, , $
, C $ ,
, , $
.
, ,
, ; , $
UNIX, , $
. , Python Ruby, $
. Perl, $

131

UNIX. , ,
Perl, .
, Python Perl, $
.

.
, ,
hack, , $
bash, ,
.


iFUZZ 50 $
IBM AIX 5.3,
, $
. $
argv[0]
argv[1]. $
. , ,
. $
, $
iFUZZ $
iFUZZ. (
setuid)
iFUZZ :
piomkpq A ascii p X d X D x q LONGSTRING;
piomkpq A ascii p LONGSTRING d X D X q.
$
,
printq, $
, .
$
getopt iFUZZ. $
getopt a:A:d:D:p:q:Q:s:r:w:v:
ls $
:
rsrx 1 root printq 32782 Dec 31 1969 /usr/lib/lpd/pio/etc/piomkpq*

iFUZZ $
. $
LONGSTRING
20 000 , X ,

132

8. :

x. X $
.
, ,
, ,
; ,
iFUZZ. $
iFUZZ argv[0], argv[1] $
setuid AIX 5.3, $
,
, .
IBM, ; $
iFUZZ $
, , ,
.


, ,
iFUZZ. ,
iFUZZ. , $
iFUZZ:
, iFUZZ $
,
, $
.
, ,
, $

.
, $
, $
. ,
.
, iFUZZ, $

setuid setgid. .
,
, , , $ $
. ,
iFUZZ , $
, $
.
, , $
. $

133

usage $
. , $

, $
.
,
C. C
,
. $
. $
, $
,
.

,
, ,
$
.

, ,
.

9


.
$.,
$1,
4 2003

$
. , $
$. , $
$, ,

$. $
, , , $
. $, $
, $
,
. $, $
, $
, $ $
. , $$
, , $
.

?
$ $
. (
14 )

135

<?

, $ $
, HTTP. $
$ $ $$
.
$,
, $
. $ $
, ,
. ,
ASP (application service provider $
).
$ $
, . $
,
. $
, $
.
, $
ASP. $
ASP,
,
. , $
$ .
, $
$, $
.
$

Microsoft Live
Microsoft $
$. $
GUI$ Microsoft Office,
2005 Microsoft
$: Windows Live Office
Live.1 Windows Live $
, Office Live $
. Microsoft $
. Live $
2002 Xbox Live $$
, Xbox.
1

http://news.com.com/2061+10805_3+6026895.html

136

9. <

,
.
. $

$ . $
, $ ,
$ . $
, , ,
,
. , $
$
.
. $
,
.


CGI
(Common Gateway Interface, CGI)
, $
(NCSA) $$
NCSA HTTP 1993 . CGI ,
$ ,
$.1 $
CGI , $
Perl.
PHP
(Hypertext Preprocessor, PHP2)
, $
$. , $
PHP
. PHP HTML
$, $
.
Flash
Flash FutureWave Soft$
ware, 1996 3 Macromedia.
1
2
3

http://en.wikipedia.org/wiki/Common_Gateway_Interface
http://www.php.net/
http://en.wikipedia.org/wiki/Adobe_Flash

<?

137

Flash
,
.
$.
Macromedia Macromedia Flash, $
Macromedia Flash Player. Flash
, ActionScript,
. Flash $
, Macromedia Flash Remoting
Flash Player $
.1 Macromedia 2005 Adobe
Systems.2
JavaScript
Netscape JavaScript 1995 $
$.3 JavaScript $
, .
JavaScript HTML, $
$, .
JavaScript ,
$ $
. , Mi$
crosoft ASP.Net (. ), JavaScript.
Java
Java (James Gosling) Sun Mi$
crosystems. Oak $
. $
$
Java, , Oak .4
Java $
. Java
,
Java Virtual Machine, . $
Java . $
$, $
.
1
2
3
4

http://www.macromedia.com/software/flashremoting/
http://en.wikipedia.org/wiki/Macromedia
http://en.wikipedia.org/wiki/Javascript
http://en.wikipedia.org/wiki/Java_programming_language

138

9. <

ASP.Net
.Net , .
CLR, , Visu$
al Basic C#. Microsoft .Net 2002 $
, $
, $. Java ,

, (Common Inter$
mediate Language, CIL), $
.1 $ ASP
.Net, . ASP.Net $
.Net$ .
1

http://en.wikipedia.org/wiki/Microsoft_.Net

$ $
, ,
$ ,
. $ $
, , $
. $
,
:
$
Microsoft Outlook Web Access Cross$Site Scripting Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=261


phpBB Group phpBB Arbitrary File Disclosure Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=204

Tikiwiki tiki$user_preferences Command Injection Vulnerability


http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=335

139

WordPress Cookie cache_lastpostdate Variable Arbitrary PHP Code


Execution
http://www.osvdb.org/18672

(Enterprise Resource Planning,


ERP)
SAP Web Application Server sap$exiturl Header HTTP Response
Splitting
http://www.osvdb.org/20714


AWStats Remote Command Execution Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=185


IpSwitch WhatsUp Professional 2005 (SP1) SQL Injection Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=268
Multiple Vendor Cacti Remote File Inclusion Vulnerability
http://www.idefense.com/intelligence/vulnerabilities/
display.php?id=265

, $$
, ,
, , $
.

$, $
.
$ $
. $
. ,
,
, $
. , $, $
, . $
, , ,
.

140

9. <

$
, .
: , $
$, $
. , , $
,
.
CPU$ / $
. , $
, ,
$
.
$ $
.
$ . $
, , , $
: , ,
, $.
. $
, $
, . ,
$ , $
, .
, Windows XP1
Linux, $, , $
$ $
.
(VM), VMWare2
Microsoft Virtual Machine3,
$. $$
$ VM,
. $
$. $,
, $, $
VM.
. , $
$
, , $

2
3

http://www.microsoft.com/resources/documentation/windows/xp/all/prod+
docs/en+us/iiiisin2. mspx
http://www.vmware.com
http://www.microsoft.com/windows/virtualpc/default.mspx

141

. , , $
, .


, $
$, $
. : $
? , $
, URL cookies, $
$? $? ,
.
, $ .
,
$, ,
. $
$ $, Microsoft Inter$
net Explorer Mozilla Firefox. $, $
$
URL . , $
$, $
. , , $$
. telnet$, $
. Telnet $
, TCP.
$
:
telnet www.fuzzing.org 80[Return]
GET / HTTP/1.1[Return]
Host: www.fuzzing.org[Return]
[Return]

. telnet$
: (fuzzing.org)
(80). Telnet TCP$ 23. $
$ ,
TCP$ 80. $
, HTTP. $
, (GET). $
.
/ $, $
. $ $
$ , .
$, HTTP
(HTTP/1.1).
, HTTP 1.0 , HTTP 1.1

142

9. <

. 1 ( $
Return), :
HTTP/1.1 200 OK
CacheControl: private
ContentType: text/html
SetCookie:
PREF=ID=56173d883ba96ae9:TM=1136763507:LM=1136763507:S=W43uFkQu1vexo
Pq; expires=Sun, 17Jan2038 19:14:07 GMT; path=/; domain=.google.com
Server: GWS/2.1
TransferEncoding: chunked
Date: Sun, 08 Jan 2006 23:38:27 GMT
<html>
<head>
<meta httpequiv= "contenttype"
content="text/html;charset=UTF8">
<title>Google</title>
<style><!
body,td,a,p,.h{fontfamily:arial,sansserif;}
.h{fontsize: 20px;}
.q{color:#0000cc;}
//>
</style>
</head>
<body bgcolor=#ffffff text=#000000 link=#0000cc
vlink=#551a8b
alink=#ff0000 topmargin=3 marginheight=3>
<center>
[snip]
<a href=http://www.google.com/intl/en/about.html>About
Google</a>
<span id=hp style="behavior:url(#default#homepage)">
</span>
</font><p><font size=2>&copy;2006
Google</font></p></center>
</body>
</html>

HTML$ $,
, $ $
. HTML$
$, $
, ,
URL. , , ,
, .

http://rfc.net/rfc2616.html#s14.23

143

, $
, HTTP$.
$? $
, $ Internet Explo$
rer. Ethereal :
GET / HTTP/1.1
Accept: */*
AcceptLanguage: enus
AcceptEncoding: gzip, deflate
UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.1; SV1; .NET CLR 1.1.4322;
.NET CLR 2.0.50727)
Host: www.google.com
Connection: KeepAlive
Cookie:
PREF=ID=32a1c6fa8d9e9a7a:FF=4:LD=en:NR=10:TM=1130820854:LM=1135410309:S=b9I4
GWDAtclpmXBF

? HTTP $
, $
. HTTP/1.1
176$ RFC 2616 Hypertext Transfer
Protocol HTTP/1.1.1 $
, , $
:

Accept: */*
Accept , $
. , $
(*/*).
, text/html image/jpeg.

AcceptLanguage: enus
AcceptLanguage
, . $
.
RFC 1766 Tags for the Identifi$
cation of Languages ( ).2

AcceptEncoding: gzip, deflate


,
.
, gzip3 deflate4.

http://rfc.net/rfc2616.html
http://rfc.net/rfc1766.html
http://rfc.net/rfc1952.html
http://rfc.net/rfc1951.html

2
3
4

144

9. <

UserAgent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;


.NET CLR 1.1.4322; .NET CLR 2.0.50727)
UserAgent ($), $
. ,
$
. Microsoft Internet
Explorer 6.0 SP2, Windows XP SP2.

Host: www.google.com
, $
$. , $
$ . ,
IP$ .

Connection: KeepAlive
Connection $
.
, . Con
nection: close ,
.

Cookie: PREF=ID=32b1c6fa8e9e9a7a:FF=4:LD=en:NR=10:TM= 1130820854:


LM=1135410309:S=b9I4GWDAtc2pmXBF
Cookies $
, $
. Cookies
.

$ . $
$, .

, , $
$
. , ,
$, $
.
, (Uniform Resource
Identifier, URI), HTTP, HTTP $
. $
:
[Method] [RequestURI] HTTP/[Major Version].[Minor Version]
[HTTP Headers]
[Post Data]

145

$ GET POST.
,
$.
$. GET $
URI . , http://www.google.com/se
arch?as_q=security&num=10 Google $
, security (as_q=security) $
10 (num=10). $
GET URI $
?, &.
POST. $
, $
HTTP HTTP. $
, $
. HTTP
URI, $ $$
. $ 414 (URI
), URI .
POST , URI $
, .
, , $
URI Google Maps,
. ,
?
http://maps.google.com/maps?hl=en&q=1600+Pennsylvania+
Ave&near=20500
, $ $
. :
HEAD. GET, $
, HTML$ $.
PUT. $.
, $
, PUT ,
. ,
Microsoft Security Bulletin
MS05$006.1 , $
Microsoft SharePoint $
PUT.2

1
2

http://www.microsoft.com/technet/security/Bulletin/MS05+006.mspx
http://support.microsoft.com/kb/887981

146

9. <

DELETE.
$. ,
,
, .

$.
TRACE. , $
. $
,
, . 2003
(Jeremiah Grossman) WhiteHat Security $
Cross$Site Tracing (XST)1, $
, ,
$ cookies $
, TRACE.
, TRACE
.
CONNECT. , $
.
OPTIONS. $ $
, . $
, ,
.

OPTIONS, , ,
$ $
(Internet Information Services, IIS), $
WebDAV, $
HTTP, $. $
MS03$0072 (Unchecked Buffer in
Windows Component Could Cause Server Compromise $
Windows ).
OPTIONS * HTTP/1.0 , OPTIONS,
, WebDAV.3 , $
, WebDAV , $
Public:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
Public: OPTIONS, TRACE, GET, HEAD, POST
ContentLength: 0

1
2
3

http://www.cgisecurity.com/whitehat+mirror/WH+WhitePaper_XST_ebook.pdf
http://www.microsoft.com/technet/security/bulletin/MS03+007.mspx
http://www.klcconsulting.net/articles/webdav/webdav_vuln.htm

147

,
WebDAV. , WebDAV $
Microsoft IIS 5.0, $
, MS03$007,
:
HTTP/1.1 200 OK
Server: MicrosoftIIS/5.0
Date: Mon, 17 Mar 2003 21:49:00 GMT
ContentLength: 0
AcceptRanges: bytes
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL,
PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
CacheControl: private

(URI)
$ URI. URI
($), .
(, http://www.target.com/page.html)
(/page.html) . $
, $ $
. *
OPTIONS. $
. , , $

/dir/page.html?name1=value1&name2=value2

:
/[path]/[page].[extension]?[name]=[value]&[name]=[value]

$
. $ $
, $
, $ , ,
.
,
, ,
.
:
.
.
, $
../.
,

148

9. <

1
2
3
4
5

, , ,
.
. Macromedia JRun 4 Web Server
JRun 4 Updater 5 $
.1 $
, 65 536 .
$
.
.
3Coms Network Supervisor $
.2 $, $
TCP$ 21700; , Network Supervi$
sor 5.0.2 URL,
../, $
$. ,
, , , .
. $
,
.
. Microsoft IIS 4.0
, $
.htr, .stm .idc.
Microsoft
Security Bulletin MS99$0193, .
. 3Com OfficeConnect
Wireless 11g Access Point , $
$ $
$ $
.4 , /main/config.bin
, , $
.
Nikto5 ,
, $$
,
$.
. , $
, ,
. $
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=300
http://www.microsoft.com/technet/security/bulletin/MS99+019.mspx
http://www.idefense.com/intelligence/vulnerabilities/display.php?id=188
http://www.cirt.net/code/nikto.shtml

149

: *.html (HyperText Markup Language $


), *.asp (Active Server Page )
*.php (Hypertext Preprocessor ).
$ ,
.
. $
, $
. $
, $
.
.
, $. $
, length=50, $
, $
, . ,
, , $
? ? $
, $
.
, .
,
, , $
. :
, $
.
. , , ,
(/, =, &, ., : . .),
. $
$ , $
, $
.

$
HTTP, , HTTP $
, , , , $
. $
HTTP HTTP/1.1.
HTTP (HTTP/[major].[minor]).

.
:
[Header name]: [Header value]

150

9. <

, : $
, (:).
, $
. $
, HTTP, $
RFC:
RFC 1945Hypertext Transfer ProtocolHTTP/1.01
RFC 2616Hypertext Transfer ProtocolHTTP/1.12
, , $
, $
.



2006 iDefense Labs $
Novell
SUSE Linux Enterprise Server 9.3 $
POST $
ContentLength. , $
:
POST / HTTP/1.0
ContentLength: 900
[Data to overwrite the heap]

Cookies
Cookies ; HTTP,
$,
cookies. cookies :
Cookie: [Name1]=[Value1]; [Name2]=[Value2] ...

, .
, cookies ,
.

1
2
3

http://rfc.net/rfc1945.html
http://rfc.net/rfc2616.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id= 371

151

POST
,
$ URI GET, $
HTTP POST. :
[Name1]=[Value1]&[Name2]=[Value2]


(Greg MacManus) iDefense Labs
$, $
Linksys.1 $
, POST apply.cgi
10 000 .
$
, $
,
.


$ $
, $
, , . $

. , $
. $
.
$
:
$


$



cookies

http://www.idefense.com/intelligence/vulnerabilities/display.php?id= 305

152

9. <


$ $ $
. , $
$. , (
="hidden"),

. ,
,
. , $
, , .
$
/. , $
cookies, ,
HTTP $
. HTTP, $
Wireshark.1
$
, $, ,
$. $
, $ ($
$).
$, $
, $$
. $
, , . ,
, , $
. , $ wget.2 $
UNIX,
win32.3
, WebScarab.4 WebScarab, $
Open Web Application Security Project (OWASP),
$.
WebScarab $, $
. $
WebScarab, $
/ .
$,
, .

1
2
3
4

http://wireshark.org/
http://www.gnu.org/software/wget/
http://gnuwin32.sourceforge.net/packages/wget.htm
http://www.owasp.org/software/webscarab.html

153

$ $
, .
:
(Denial+of+service, DoS). DoS$ $
. DoS$
,
, $
, $
.
(Cross+site scripting, XSS). $
Mitre 2006 XSS 21,5% $
.1 , XSS$
$, $
. $ XSS$
, ,
$. , XSS, $
$, $
, , $
.
SQL. $
SQL , $
. Mitre 2006 ,
SQL (14%)
. $ $
$, ,
SQL,
. ,
SQL , , , $
;
.
SQL $
$
.
/ . ,
, $ $
, , , .
,

. , $
$
, .
1

http://cwe.mitre.org/documents/vuln+trends.html#table1

154

9. <

$ $
, $
.
.
, , $
. $
,
. $
, , $
$ :
,
.
. , HTTP $
, $
, $
$
.
cookies URI ,
, . Cookies
,
. $
cookies , $
.
. , ,
$ , $
. , $
$ , C#
Java, , $
. , $
. $
,
, C C++,
. ,
: $ $. $$
, $
.
HTTP. $$
GET POST. ,
, ,
RFC$. ,

. , $
$
, .

155

. $ $

.
, $
. PHP Perl
.
.
PHP$. ,
,
include() require(), PHP
, . ,
,
$ PHP. , $
, Mitre 2006 ,
9,5%.
. $
, . ,
, , $
,

, .
, ,
. $
,
, .
HTTP+. HTTP$
Sanctum Inc.
Divide and Conquer.1 ,
CRLF
. , , $
$ ,
$ $.
HTTP+ (Cross+Site Request Forgery, CSRF).
CSRF$ ; $
. ,
$ $
, $ , , $
. , $ $

$, $
. ,
.
http://www.packetstormsecurity.org/papers/general/whitepaper_httprespon+
se.pdf

156

9. <

,
$ ,
. CSRF$ $$
$
, $
. $ $
$
.
$,
, $ $
. , , $
, $
. $
$, HTTP,
, $
. $
Web Application Secu$
rity Consortiums Threat Classification.1

$$
. $
, $ $
, $ 10 000 $
. , , ,
. , $
, $
:
HTTP. $ , $
.
10 RFC 2616 Hy$
pertext Transfer Protocol HTTP/1.1.2 $
, .
, (500) $
, $
. , 401
, , $
.
+. $ $
,

1
2

http://www.webappsec.org/projects/threat/
http://rfc.net/rfc2616.html

157

. $
HTML .
.
, , ,
. ,
,
.
, $
, $
.
. $ ,
. , $
, $
. , $
, . $
, ,
$ $
, .
, $
, .
.
$ , , $
,
. $
Microsoft Windows; $
Event Viewer.
. $
$
, . $
$
, $
. , $
, , $
,
, $
$
. , $
, .
$$
, ,
.

158

9. <

$ $$
,
$. , $
$ .
$
, $
.
; $
. $$
, ,
.

10

:

.
,
, .
$.,
, ,
13 2001

, .
.
. .
$.,
, ,
13 2002

, , $
, .
, ,
WebFuzz $.
,
. $
. $
.
,

160

10. < :

, $
. $?
, $$
, , WebFuzz .


$ . $
, . $
$:
SPIKE Proxy1. . SPIKE Proxy $
, Python. $
, $, $
$$ $
, SQL, $
XSS. SPIKE Proxy
, $
. SPIKE Proxy ,
. . 10.1
SPIKE Proxy.

. 10.1. SPIKE Proxy

http://www.immunitysec.com/resources+freesoftware.shtml

<

161

WebScarab1. Open Web Application Security Project


(OWASP)
$, WebScarab.
$ $
, $
.
SPI Fuzzer2. SPI Toolkit, , ,
WebInspect. WebInspect $
, SPI Dynamics $
$$
.
Codenomicon HTTP Test Tools3. Codenomicon $
,
HTTP.
beSTORM4. Codenomicon, Beyond Security
. beSTORM , $
$,
HTTP.

WebFuzz SPI Fuz$


zer. SPI Fuzzer , $
$,
HTTP, $
. HTTP, $
, .
, ,
.
. 10.2 SPI Fuzzer.
SPI Fuzzer ,
$
. , SPI Fuzzer,
, ,
, WebFuzz.
, WebFuzz , $
. $
,
. $
.
, .

1
2
3
4

http://www.owasp.org/index.php/Category:OWASP_WebScarab_Project
http://www.spidynamics.com/products/webinspect/toolkit.html
http://www.codenomicon.com/products/internet/http/
http://www.beyondsecurity.com/BeStorm_Info.htm

162

10. < :

. 10.2. SPI Fuzzer

, , WebFuzz $
. , ,
.
, , $
, $
. WebFuzz $
, $
. WebFuzz $
www.fuzzing.org.

,
,
HTTP, ,
.

163

. $ ,
. $
$. ,
(HTTP)
HTTP.
. $
.
,
.
. 10.3 WebFuzz.
:
. IP$ $ $
. $, WebFuzz
, . .
. $ TCP$$
80, TCP$. ,
$,
, ,
$.
, , WebFuzz, $
, .
+. $
, $, , $
, . ,
timeout, $
. $
,
: , ,
DoS.
(Request Headers). $
. $
, URI , $
. $
, ,
. $
, (Request
headers). ,
(point$and$click), $
, , $
. 10.3. $
(Default Headers),
$ .

164

10. < :

. 10.3. WebFuzz


,
. ,
$
. , $
$
, (, [Overflow]).

: (static lists)
(generated variables).
, $
. $
XSS. $
, $
XSS (, <script>alert('XSS')</script>), $
.
ASCII; ,

.
,
. Overflow
. ,
, $
. . 10.4 , $
.

165

. 10.4.


.
$
(, $
),
,
. WebFuzz
.
,
WebFuzz
. WebFuzz , $
:
[Methods] /file.php?var1=[XSS][SQL]&var2=[Format] HTTP/1.1
Accept: */*
AcceptLanguage: enus
UserAgent: Mozilla/4.0
Host: [Overflow]
ProxyConnection: KeepAlive

WebFuzz (responses)
. ,
.
$
(raw results), HTML $. . 10.5
, . 10.6 $$
. ,
. , $
( , 500 ), $
DoS. , $ $
, $
SQL. $
.

166

10. < :

. 10.5.

. 10.6. HTML

167


HTTP
,
.
,
$.


WebFuzz
HTTP, , $$
? $ ?
?
, ,
. $
, $, $
WebFuzz $
$. LiveHTTPHeaders1
HTTP $
Mozilla. . 10.7 , LiveHTTPHeaders
Firefox.

. 10.7. LiveHTTPHeaders
1

http://livehttpheaders.mozdev.org/

168

10. < :

,
, WebFuzz, $
. $
, Tamper Data1 Firebug2 Firefox Fiddler3
Internet Explorer, LiveHTTPHeaders
.

, $ $
, $
. WebFuzz , $
, $
.
$, ,
.
.
, , HTML$
, $
Responses ().
WebFuzz
:
HTML

,


WebFuzz

$
, ,
.

HTML
, HTML $
, $
. $
, WebFuzz $
, ,
.
, .
1
2
3

https://addons.mozilla.org/firefox/966/
http://www.getfirebug.com/
http://www.fiddlertool.com

169


$ $
$. $
$ ,
. , $
: $
. $
$ , $
, , .
( $
) (), $
.
SQL.

,
$
,
XSS. $ $
, , , $
. , HTML$
, WebFuzz, , $
XSS.


DoS$ ,
.
, $
DoS$. $
, $
, ,
, CPU.


, ,
$
DoS$.

WebFuzz
WebFuzz $
, $ . $
, $ $
, WebFuzz , $
. ,
DoS$.

170

10. < :


$
, , .
, . $
,
. , $
, ,
. , ,
$ $
. ,
, FileFuzz COMRaider,
. $
, WebFuzz $
. $
$, $
, ,
DoS$.

, , . $
$.

WebFuzz
$.
HTTP,
.
, $
.
,
.


WebFuzz GUI$$
. C# $
. $, C#
GUI . $, C#
. $
C# , Win$
dows. $ ,
, . ,
Windows
Windows.

171

,
. $
,
. ,
, , $.

TcpClient
C# WebClient,
HTTP. , $
,
.
, WebFuzz,
HTTP. C# $
HttpWebRequest HttpWebResponse.
,
, . $
WebFuzz? . $
TcpClient,
TCP$, HTTP.
$. ? $
?
, .
,
, . , $
.

HTTP, , , $$
. , , :
WebClient wclFuzz = new WebClient();
wclFuzz.Headers.Add("blah", "blah");
Stream data = wclFuzz.OpenRead("http:// www.fuzzing.org");
StreamReader reader = new StreamReader(data);
data.Close();
reader.Close();

, $
$ WebClient.
GET (blah:
blah). , $
, , :
GET / HTTP/1.1
blah: blah
Host: www.fuzzing.org
Connection: KeepAlive

172

10. < :

, : Host
Connection. $ , $
. $
,
.
TcpClient WebFuzz.


.
,
WebFuzz , $

.
. , ,
, ,
, .
,
$
$. , WebFuzz
, , , , $
. ,
.
, ,
. .
WebFuzz, $
:
TcpClient client;
NetworkStream stream;
ClientState cs;
try
{
client = new TcpClient();
client.Connect(reqHost, Convert.ToInt32(tbxPort.Text));
stream = client.GetStream();
cs = new ClientState(stream, reqBytes);
}
catch (SocketException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);

173

return;
}
IAsyncResult result = stream.BeginWrite(cs.ByteBuffer, 0,
cs.ByteBuffer.Length, new AsyncCallback(OnWriteComplete), cs);
result.AsyncWaitHandle.WaitOne();

TCPClient NetworkStream, Begin


Write(). :1
byte[] array , , $
;
int offset , ;
int numBytes ;
AsyncCallback userCallback , ,
;
object stateObject ,
.
AsyncWaitHandle.WaitOne() ,
. ,
:
public static void OnWriteComplete(IAsyncResult ar)
{
try
{
ClientState cs = (ClientState)ar.AsyncState;
cs.NetStream.EndWrite(ar);
}
catch (System.ObjectDisposedException ex)
{
MessageBox.Show(ex.Message, "Error",MessageBoxButtons.OK,
MessageBoxIcon.Error);
}
}

, $
:
try
{
result = stream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error",MessageBoxButtons.OK,
MessageBoxIcon.Error);
1

http://msdn.microsoft.com/library/en+us/cpref/html/frlrfsystemiofilestream+
classbeginwritetopic.asp

174

10. < :
ReadDone.Close();
return;
}

, $
$. Begin
Read(), , BeginWrite(),
OnReadComplete():
public void OnReadComplete(IAsyncResult ar)
{
readTimeout.Elapsed += new ElapsedEventHandler(OnTimedEvent);
readTimeout.Interval = Convert.ToInt32(tbxTimeout.Text);
readTimeout.Enabled = true;
ClientState cs = (ClientState)ar.AsyncState;
int bytesRcvd;
try
{
bytesRcvd = cs.NetStream.EndRead(ar);
}
catch (System.IO.IOException ex)
{
MessageBox.Show(ex.Message, "Error", MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
catch (System.ObjectDisposedException ex)
{
return;
}
cs.AppendResponse(Encoding.ASCII.GetString(cs.ByteBuffer,
cs.TotalBytes, bytesRcvd));
cs.AddToTotalBytes(bytesRcvd);
if (bytesRcvd != 0)
{
cs.NetStream.BeginRead(cs.ByteBuffer, cs.TotalBytes,
cs.ByteBuffer.Length  cs.TotalBytes,
new AsyncCallback(OnReadComplete), cs);
}
else
{
readTimeout.Enabled = false;
if (ReadDone.Set() == false)
ReadDone.Set();
}
}

OnReadComplete() (readTimeout), $
ReadDone.Set(),
. ,

175

, $
, .
.
, . $
, . , $
BeginRead(). , .


, .
, , (Request Headers),
,
. $
, (Request)
btnRequest_Click():
if (rawRequest.Contains("[") != true || rawRequest.Contains("]") != true)
rawRequest = "[None]" + rawRequest;
while (rawRequest.Contains("[") && rawRequest.Contains("]")
{
fuzz = rawRequest.Substring(rawRequest.IndexOf('[' ) + 1,
(rawRequest.IndexOf(']') rawRequest.IndexOf('[')) 1);

, ,
,
. $
, , $
:
int arrayCount = 0;
int arrayEnd = 0;
Read fuzzText = null;
WebFuzz.Generate fuzzGenerate = null;
ArrayList fuzzArray = null;
string replaceString = "";
string[] fuzzVariables = { "SQL", "XSS", "Methods", "Overflow", "Traversal",
"Format" };
switch (fuzz)
{
case "SQL":
fuzzText = new Read("sqlinjection.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[SQL]";
break;
case "XSS":
fuzzText = new Read("xssinjection.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[XSS]";

176

10. < :
break;
case "Methods":
fuzzText = new Read("methods.txt");
fuzzArray = fuzzText.readFile();
arrayEnd = fuzzArray.Count;
replaceString = "[Methods]";
break;
case "Overflow":
fuzzGenerate= new WebFuzz.Overflow(overflowFill, overflowLength,
overflowMultiplier);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Overflow]";
break;
case "Traversal":
fuzzGenerate= new WebFuzz.Overflow("../", 1, 10);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Traversal] ";
break;
case "Format":
fuzzGenerate= new WebFuzz.Overflow("%n", 1, 10);
fuzzArray = fuzzGenerate.buildArray();
arrayEnd = fuzzArray.Count;
replaceString = "[Format]";
break;
case "None":
ArrayList nullValueArrayList = new ArrayList();
nullValueArrayList.Add("");
fuzzArray = nullValueArrayList;
arrayEnd = fuzzArray.Count;
replaceString = "[None]";
break;
default:
arrayEnd = 1;
break;

, (SQL,
XSS (Methods)), Read() $
ASCII, $
. ( (Overflow), $
(Traversal) (Format)), , $
Generate() ,
.


, WebFuzz ,
, HTML, , $
. , ,
, , ($

177

) ListView. , ,

ListView, Rich$
TextBox WebBrowser:
rtbRequestRaw.Text = reqString;
rtbResponseRaw.Text = dataReceived;
wbrResponse.DocumentText = html;
string path = getPath(reqString);
lvwResponses.Items.Add(lvwResponses.Items.Count.ToString());
lvwResponses.Items[lvwResponses.Items.Count  1].SubItems.Add(status);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add(reqHost);
lvwResponses.Items[lvwResponses.Items.Count 1].SubItems.Add
(requestString.Substring(0, requestString.IndexOf("\r\n")));
lvwResponses.Refresh();
requestsRaw[lvwResponses.Items.Count 1] = reqString;
responsesRaw[lvwResponses.Items.Count 1] = dataReceived;
responsesHtml[lvwResponses.Items.Count 1] = html;
responsesHost[lvwResponses.Items.Count 1] = reqHost;
responsesPath[lvwResponses.Items.Count 1] = path;

, WebFuzz
. , $
HTTP.

www.fuzzing.org.


, , WebFuzz, $
. , .


, , $
$
, . $
,
$ $
, . , $
, , $
. ,
, $
, $
.

../, .

178

10. < :

URL, $
$. $
, , ,
.
, $
$. , Windows $
boot.ini win.ini, ASCII, $

Windows.

Trend Micro Control Manager1,
IMAGE rptserver.asp. $
WebFuzz get$ rptserver.asp,
IMAGE [Tra
versal], win.ini.
. 10.8: ,
.

. 10.8. Trend Micro Control Manage


1

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=352

179

. 10.9. Ipswitch Imail Web Calendaring

, . Ipswitch
Imail Web Calendaring1 , $
, $ $
.
,
JSP. WebFuzz (. 10.9).
GET , $
$ blah.jsp, $
, , boot.ini.
. 10.9 , , $
$, .

$, $
$
GUI, . ,
1

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=242

180

10. < :

, $

. , $
. $
, ,
,
. , $
, DoS$ $
.
WebFuzz
, .
, PMSoftwares Simple Web
Server1?
GET . , ,
:
GET /[Overflow] HTTP/1.1

404 Page Not Found (


), . 10.10 , WebFuzz
$ . ?

. 10.10. +
1

http://secunia.com/advisories/15000/

181

. 10.11. +

, $
Simple Web Server, ,
. 10.11.
( Simple Web Server). $
, $
. , DoS$.
? . 10.12, $
, EIP $
, .
, . $
. $
.

. 10.12. +

182

10. < :

SQL
SQL ,
SQL
.
, .
,
SQL.
SQL $
Ipswitch Whatsup Professional (SP1)1
. $
? LiveHTTPHeaders ,
Login.asp
POST, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS; rv:1.8.0.1)
Gecko/20060111 Firefox/1.5.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/
plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://localhost/NmConsole/Login.asp
Cookie: Ipswitch={A481461B2EC640AEB36246B31959F6D1}
ContentType: application/xwwwformurlencoded
ContentLength: 81
bIsJavaScriptDisabled=false&sUserName=xxx&sPassword=yyy&btnLogIn=Log+In

,
, :
POST /NmConsole/Login.asp HTTP/1.1
Host: localhost
bIsJavaScriptDisabled=false&sUserName=[SQL]&sPassword=&btnLogIn=Log+In

: There was
an error while attempting to login: Invalid user name ( +
: ).
WebFuzz , , $
. 10.13,
. ,
.

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=268

183

. 10.13. Ipswitch Whatsup Professional (SP1)

SQL. $
' or 1=11 , $
UPDATE
. $
, SQL,
; ?
Google. $, Ipswitch $
.2
, $ $
, . :
Ipswitch , . $
Ipswitch3 ,
:
osql E D WhatsUp Q "UPDATE WebUser SET sPassword=DEFAULT
WHERE sUserName='Admin'"

, Ipswitch, $
,
, . ,
SQL.
, $
:
/: $$
. ?
/: SQL $

1
2

http://www.securiteam.com/securityreviews/5DP0N1P76E.html
http://www.ipswitch.com/support/whatsup_professional/guides/WhatsUp+
DBSchema.zip
http://support.ipswitch.com/kb/WP+20041122+DM01.htm

184

10. < :

XSS
XSS . Mitre 2006 21,5% $
XSS, .1 slackers.org
XSS2, ,
.
$, XSS $
. $
$
.
, $
JavaScript. , , $
$ $
.
XSS $$
. SPI Dynamics $ http://zero.web+
appsecurity.com (. 10.14) WebInspect,

. 10.14. SPI Dynamics Free Bank


1
2

http://cwe.mitre.org/documents/vuln+trends.html#table1
http://sla.ckers.org/forum/read.php?3,44

185

$.
$. post login1.asp, $
rootlogin.asp.
XSS. , ,
txtName, Last Name:
rootlogin.asp. $
, $
XSS$.
XSS $
JavaScript ,
. ,
, $
, JavaScript
$. , XSS $
:
POST /rootlogin.asp HTTP/1.1
Host: zero.webappsecurity.com
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.1; enUS;
rv:1.8.1.1) Gecko/20061204 Firefox/2.0.0.1
Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,
text/plain;q=0.8,image/png,*/*;q=0.5
AcceptLanguage: enus,en;q=0.5
AcceptEncoding: gzip,deflate
AcceptCharset: ISO88591,utf8;q=0.7,*;q=0.7
KeepAlive: 300
Connection: keepalive
Referer: http://zero.webappsecurity.com
ContentType: application/xwwwformurlencoded
ContentLength: 72
txtPassPhrase=first&txtName=<script>alert('Does fuzzing
work?')</script>&txtHidden=This+was+hidden+from+the+user

. 10.15, $
, .
, , $
.
, ,
. . .
, ,
. Java$
Script, ? ,
. , $
JavaScript, ,
. HTML? $
, , Java$
Script, XSS. HTML$
IMG .

186

10. < :

. 10.15.

HTML$ IMG,
$$
. , , ,
, voila! , XSS. .
WebFuzz .
WebFuzz $
. $
.
xssinjection.txt:
%3Cimg+src%3D%27http%3A%2F%2Flocalhost%2Fblah%27%3E

URL$ ,
$
:
<img src='http://localhost/blah'>

?
#Software: Microsoft Internet Information Services 5.1
#Version: 1.0
#Date: 20070131 00:57:34

187

#Fields: time cip csmethod csuristem scstatus


00:57:34 127.0.0.1 GET /xss 404

! 404 Page Not Found , Web$


Fuzz rootlogin.asp, $
XSS.


WebFuzz , $
, ,
. , ,
HTTP,
, . ,
,
. $
, , $

.
Web$
Fuzz, .
, , $

. WebFuzz
$, $
, . ,
$
, . , $

,
, XSS.
, , . $
,
,
.

$ , $
. $
,
$
. WebFuzz , $
. $
WebFuzz
.

11


.
$.,
, ,
19 2000


. , $
, , $ $
. , $
, , $
. $
$
, .
2005 2006 $
,
:
$
. $
eEye, , $
Zero$
Day Tracker.1 , , $
$
. $
1

http://research.eeye.com/html/alerts/zeroday/

189

, $
.

,
.
. $
, $ ,
, .
, $
, . ,
,
.
Microsoft
Exchange TNEF, . 11.1
.
11.1.

http://www.tippingpoint.com/security/
$ advisories/TSRT+06+10.html
Microsoft
HLINK.DLL

http://www.idefense.com/intelligence/


vulnerabilities/display.php?id=318
CHM
Kaspersky



m3u Winamp

http://www.microsoft.com/technet/se+

curity/Bulletin/MS06+055.mspx

$

http://www.idefense.com/intelligence/

vulnerabilities/display.php?id=76
MIME WinZip

$ http://www.microsoft.com/technet/se+
TNEF
curity/Bulletin/MS06+003.mspx
Microsoft Exchange

http://www.idefense.com/intelligence/
vulnerabilities/display.php?id=377

190

11.

, $
. $
. ,
, $
. $
$: ,
.
!1
,
. , , $
, Microsoft Security
Bulletin MS06$055, Internet Explorer,
Outlook.

,
. $
, , $
: , $
. , $
,
$
.
, $
, .
.
, $
,
,
. $
, $
. $
$
, $
. $

:
1. , $
( ).
2. , .
3. , ,
.
1

http://www.clearswift.com/solutions/porn_filters.aspx

191

4. . $
, $
.
5. .
,
. , $
, , , $
, . ,
,
, , ,
.

,
, $
, .
, $
. , $
. $
, $
. , $
:
, 0xff. $
, $ .
,
. $
. , $
.
, $
.
, , ?
. $
, .
$
, $
, $$
.
. $,
, , , $
. ,
, Microsoft Word.
20 .
20 480 . ,
2 ,
11 , $
. 254 ?

192

11.

$
, $
. $
, ,
, : $
.
,
, $
, $
$, . $
$
. ,
$
, $
$
. $
, $
.

,
, ,
$
.
, , , $
.
, , $
. , $
.
, .
$
.
, $
,
, $
. , $
,
Google , $ .
$, Wotsits Format1,
. $
, $
$

. ,
1

http://www.wotsit.org

193


.
,
, SPIKEfile 12
: UNIX.
$
, .


$
, $
. $
. ,
, $
,
. $
,
, ,
.
$
. WinRAR1 ,
. ,
WinRAR , $ WinRAR.
.
zip, rar, tar, gz, ace, uue .
, Win$
RAR, . $
, $
.
: . $
, , $
, ,
, , $
. ,
, , $
. , $
;
, $ $
$
.

http://www.rarlab.com

194

11.

$
$
. :
( )

/



$
, ,
, $
.
, , $.
,
$
( ), $
null.
, , $
, $
.
,
,
, , $
. $
ClamAV.1


$
.
$
:
[...]
[1] size
[2] allocation_size
[3] buffer
[4] for (ix = 0; ix
1

=
=
=
<

read32_from_file();
size+1;
malloc(allocation_size);
size; ix++)

http://idefense.com/intelligence/vulnerabilities/display.php?id=333

195

[5] buffer[ix]
[...]

= read8_from_file();

$
, .
32$
(0xFFFFFFFF) size, [2] allocation_size $
$ .
, . $
[4] [5] $
, size, $
, .
. $
, .

. $ $
, $
. $ $
, , ,
.
, , ,
.

, , $

.
:
[0] #define MAX_ITEMS 512
[...]
[1] char buff[MAX_ITEMS]
[2] int size;
[...]
[3] size = read32_from_file();
[4] if (size > MAX_ITEMS)
[5]
{ printf("Too many items\n");return 1; }
[6] readx_from_file(size,buff);
[...]
/* readx_from_file: read 'size' bytes from file into buff */
[7] void readx_from_file(unsigned int size, char *buff)
{
[...]
}

,
, [4]

196

11.

( [1]), MAX_ITEMS (
[0]) , , , 1
512. ,
[7],
. 1, ,
42949672954294967295. , $
, ,
readx_from_file, $
.


, $
. . $
. $

. $ $
, . $
, $
. , $
, The Shallcoders
Handbook: Discovering and Exploiting Security Hotels (
$: $
).1


$
. $
$
, $
WMF Microsoft, MS06$001.2
. $
, ,
, $
.


, $
, ,
. , $
,
, US$CERT, $

1
2

ISBN$10: 0764544683.
http://www.microsoft.com/technet/security/Bulletin/MS06+001.mspx

197

$
%n.1
, , $
, , $
. $
Adobe2 RealNetworks3. $
,
, , $
. , $
, , $
, .


, $
,
.
.
,
Microsoft Internet Explorer.
, $ , Internet Explorer $
,
, , .

$
. $
, ,
, $
. , , $

. $
:
. $
Microsoft Windows, $
Event Viewer. ,
, $
, $
.
1

2
3

https://buildsecurityin.us+cert.gov/daisy/bsi/articles/knowledge/guidelines/
340.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=163
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=311

198

11.

(). $

. $
, $
, $
. $
$
24
.
. $
, $
, , $
.
, UNIX ,
.
. $


. , $
, , $
, , , , $
,
.
, $
.
$
$
PyDbg Microsoft Windows, $
PaiMei.1

, $
, , $
, $
, , . $
. , $
8$ 42$
, 8$42. $

. ,
, . $
.

http://www.openrce.org/downloads/details/208

199


, .

, $ $
, .
$
TCP/IP,
$
.
, , , $
$
,
.

12
:
UNIX

.
, , .
.
$.,
. .
Bush at War ( )

$
, $ ,
, $
. ,

. HTML, $
Microsoft Internet Explorer, , $
, $
. , $
UNIX, ,
.
,
notSPIKEfile SPIKEfile, $
.
, .
, $
,
. UNIX, $

notSPIKEfile SPIKEfile

201

$. $

.

notSPIKEfile SPIKEfile
,
UNIX, SPIKEfile notSPIKEfile.
, SPIKE,
SPIKE.1
:
, $

.
, $
, .
$
ASCII.
, $
,
.

?
notSPIKEfile SPIKEfile ,
. $
:
. $
x86 Linux ptrace,
. ,
$
.
.
, $
$
.
, , $
. $
,
.
.

http://www.immunityinc.com/resources+freesoftware.shtml

202

12. : UNIX


, $
, , .

Linux. $
, ,
.
.


,
$
. ? .

, .
, , ,
.
, , $
. , $
UNIX system , . $
$
, . $
, ,
, $
, ,
,
, $
.
, ,
:
(LIBC) , $
open, creat, system
. .

ptrace.
, $
, ,
, ,
. $
, $
, $
ptrace.

203


( )

, .
, $
. $
,
. , , $
. $

ptrace. $
, . $

x86. libdisasm1, $
, , $
, Google, $
. , libdisasm
, ,
.


, $
, $
. , $
notSPIKEfile, SPIKE$
file, SPIKEfile
SPIKE. ,
.
, , , SPIKEfile
, SPIKE.
, SPIKE,
. SPIKE
, .
notSPIKEfile . $
.
$
.
: .
,
. $
, , . $
,
1

http://bastard.sourceforge.net/libdisasm.html

204

12. : UNIX

, ,
URL , $
. $
, SPIKE notSPIKEfile,
. 12.1,
$
. ,
, $
.
12.1.

"A"x10000

"%n%n"x5000

. $

$

HTTP:// + "A"x10000

URL.
URL

"A"x5000 + "@" + "A"5000

.
$

0x20000000,0x40000000,
0x80000000,0xffffffff

,

. $
. , mal
loc(user_count*sizeof (struct blah));. $
, $
$
, $

"../"x5000 + "AAAA"


URL


, . , ,
, $
,
.
, , , $
.html .

SPIKEfile notSPIKEfile.

205


$
, . , $
, forking off $
. $
:
[...]
if ( !(pid = fork ()) )
{ /* */
ptrace (PTRACE_TRACEME, 0, NULL, NULL);
execve (argv[0], argv, envp);
}
else
{ /* */
c_pid = pid;
monitor:
waitpid (pid, &status, 0);
if ( WIFEXITED (status) )
{ /* */
if ( !quiet )
printf ("Process %d exited with code %d\n",
pid,WEXITSTATUS (status));
return(ERR_OK);
}
else if ( WIFSIGNALED (status) )
{ /* */
printf ("Process %d terminated by unhandled signal %d\n",
pid, WTERMSIG (status));
return(ERR_OK);
}
else if ( WIFSTOPPED (status) )
{ /* */
if ( !quiet )
fprintf (stderr, "Process %d stopped due to signal %d (%s) ",
pid,WSTOPSIG (status), F_signum2ascii (WSTOPSIG (status)));
}
switch ( WSTOPSIG (status) )
{ /* , */
case SIGILL:
case SIGBUS:
case SIGSEGV:
case SIGSYS:
printf("Program got interesting signal\n");
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status)
==SIGTRAP) ? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
ptrace(PTRACE_DETACH,pid,NULL,NULL);

206

12. : UNIX
fclose(fp);
return(ERR_CRASH); /* it crashed */
}
/* */
if ( (ptrace (PTRACE_CONT, pid, NULL,(WSTOPSIG (status) == SIGTRAP)
? 0 : WSTOPSIG (status))) == 1 )
{
perror("ptrace");
}
goto monitor;
}
return(ERR_OK);
}

, , $
. , , $
ptrace , $
, PTRA
CE_TRACEME. , ,
, ,
, $
$ .
, , $
, , $
PTRACE_TRACEME. $
,
. , $
. , $
. $
.
, , ,
, $
. $
, $
, ,
. $
, , $
.
, $
. : ,
?, .
? , $
,
, , $
, $ $
. , $
.

207

$
$
. $
, .
,
GLIBC. $
, $
.1
, $
, ,
, .
UNIX , .

UNIX
. 12.2 , $
, $
, .
12.2. UNIX

SIGSEGV

. $

SIGILL

.
; . $
, $
$

SIGSYS

.
,
($ ). $
, SIGILL

SIGBUS

. $ $
. $
.
RISC . $
RISC $
SIGBUS

SIGABRT

. $
, GLIBC

http://www.packetstormsecurity.org/papers/attack/MallocMaleficarum.txt

208

12. : UNIX

UNIX
. 12.2, . 12.3 ,
, , , $
.
12.3. UNIX

SIGCHLD

SIGKILL, SIGTERM

SIGFPE

, $

SIGALRM

, SIGCHLD, ,
, $
. $
, $ $
, $ .


$ ,
(. . ), ,
, wait
waitpid. $
,
. ,
. $
, , . 12.1.
, $
fork, , $
,
wait waitpid. , $
$.
notSPIKEfile $
,
,
. , ,
, $
8 .
. $ ,
.
SIGCHLD,

209

<

fork()

Parent()

Child()

wait(&status)

Code()

exit(0):
,
,

. 12.1.

.
SIGCHLD .
$
, $
. !
. wait
waitpid, , $
WHOHANG.
, , $
.
.
SPIKEfile $
, $
. $
SIGCHLD, .
SPIKEfile SPIKE, $
$ ,
, . , SPIKE
TCP/IP,
.
filestuff.c:
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>

210

12. : UNIX
#include <fcntl.h>
#include "filestuff.h"
#include "spike.h"
extern struct spike *current_spike;
int
spike_fileopen (const char *file)
{
int fd;
if ((fd =
open (file, O_CREAT | O_TRUNC | O_WRONLY,
S_IRWXU | S_IRWXG | S_IRWXO)) == 1)
perror ("fileopen::open");
return current_spike>fd = fd;
current_spike>proto = 69; /* 69==file,068 are reserved by
the ISO fuzzing standard */
}
int
spike_filewrite (uint32 size, unsigned char *inbuffer)
{
if (write (current_spike>fd, inbuffer, size) != size)
{
perror ("filewrite::write");
return 1;
}
return 1;
}
void
spike_close_file ()
{
if (current_spike>fd != 1)
{
close (current_spike>fd);
current_spike>fd = 1;
}
}

Makefile, , SPIKE, $

. , $
SPIKE, . 12.4.
12.4. , SPIKE
SPIKEfile

filestuff.c

util.c

notSPIKEfile
SPIKEfile . ptrace,
F_execmon

211

generic_file_fuzz.c

SPIKEfile. main

include/filestuff.h

filestuff.c

Libdisasm

, x86
$


SPIKEfile notSPIKEfile $
, , $
. Adobe Acrobat Reader RealNet$
works RealPlayer .
, ,
, . $
,
.
, $
.
. $
, $
. , $
, $
, $
.
, .
, Acro$
batReader RealPlayer.
.

Adobe Acrobat
Acrobat acro$
read, DEBUG. $
, $
acroread,
$PREFIX/Adobe/Acrobat7.0/Reader/intellinux/bin/acroread.
$
, ,
acroread. .
notSPIKEfile $
UnixAppOpenFilePerform $
Adobe Acrobat Reader.1
1

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=279

212

12. : UNIX

RealNetworks RealPlayer
, realplay
. ,
realplay.bin.
user@host RealPlayer $ file realplay realplay.bin
realplay: Bourne shell script text executable
realplay.bin: ELF 32bit LSB executable, Intel 80386, version 1 (SYSV), for
GNU/Linux 2.2.5, dynamically linked (uses shared libs), stripped

RealPlayer $
HELIX_PATH RealPlayer.
real$
play.bin, RealPlayer. $
realplay.
notSPIKEfile $
RealPix RealNetworks Real$
Player/HelixPlayer.1

:
RealPix
RealPlayer
, notSPIKEfile
RealPlayer,
2005 . ,
RealPlayer. , , $
RealPix. Google
RealPix, $
$
notSPIKEfile. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="dd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>2
1
2

http://www.idefense.com/intelligence/vulnerabilities/display.php?id=311
http://service.real.com/help/library/guides/realpix/htmfiles/tags.htm

RealPix

213

RealPlayer. $
RealPlayer, , $
. notSPIKE$
file .
, :
user@host $ export HELIX_PATH=/opt/RealPlayer/
user@host $ ./notSPIKEfile t 3 d 1 m 3 r 0 S s SIGKILL o FUZZY
sample1.rp sample1.rp "/opt/RealPlay/realplay.bin %FILENAME%"
[]
user@host $

t $
RealPlayer 3 . d $
1 $
. $
realplayer m, $
r ,
.
s SIGKILL
s.
, , $
, $
, sample1.rp, , $
RealPlayer, . $
! , ,
, $ .
, $
FUZZY$sample1.rp$0x28ab156b$dump.txt. $
,
.
, .
12288$FUZZY$sample1.rp.
.
, ,
. :
<imfl>
<head title="RealPix(tm) Sample Effects"
author="Jay Slagle"
copyright="(c)1998 RealNetworks, Inc."
timeformat="%n%n%n%n%n%n%n%n%n%n%n%ndd:hh:mm:ss.xyz"
duration="46"
bitrate="12000"
width="256"
height="256"
url="http://www.real.com"
aspect="true"/>
</imfl>

214

12. : UNIX

%n, ,
. $
, Real$
Player GDB:
user@host ~/notSPIKEfile $ gdb q /opt/RealPlayer/realplay.bin
Using host libthread_db library "/lib/tls/libthread_db.so.1".
(gdb) r 12288FUZZYsample1.rp
Starting program: /opt/RealPlayer/realplay.bin 12288FUZZYsample1.rp
Program received signal SIGSEGV, Segmentation fault.
0xb7e53e67 in vfprintf () from /lib/tls/libc.so.6
(gdb) x/i $pc
0xb7e53e67 <vfprintf+13719>: mov %ecx,(%eax)


RealPlayer timeformat.
.


. $, Linux, , $
.
Linux , , , $
, Linux . $
, ptrace
, $
.
, ,
SPIKE . $ $
SPIKE, $ , $
, ,
,
$
.



. $
$ , ,
, .

13
:
Windows

,
,
.
$.,
, ,
28 2005


UNIX. $
$
Windows. , $
, . $$
, Windows $
, ,
, ,

$. $ ,
;
Windows, , Windows
. $

.

216

13. : Windows

Windows
$
,
.
.

,
. $
, $
.
$
, $
,
. , $
. $
, $
, .
.
$
,
. $
.
, , $
. $
.
$ , $
. ,
, $
. ?
$
? ,
. ,
Lynx?
, ,
.
Windows $
$ , .
,
.
, .
,
, .
, $
, Windows
.

Windows

217

. $
, Mi$
crosoft Windows.
FileFuzz $
. FileFuzz
. $,
. $,
, $
, . $, $
, , ,
. $
, $
Microsoft .NET. $
C#, $
, , C. . 13.1 $
.

. 13.1. FileFuzz

218

13. : Windows

,
Microsoft Windows
MS04*028. JPEG (GDI+)
.
2004 Microsoft
, $
, ,
GDI+
JPEG,
. JPEG
0xFFFE,
.
2 , $
2 , . $
, , ,
$
. $
Windows, GDI+ (gdiplus.dll) $
. $
$
.
MS05*009 PNG
.
, , Microsoft, $
, $
PNG ( $
), tRNS, $
.
Windows Messenger MSN Messenger , Mi$
crosoft
,
.
MS06*001.
.
2005 $
, WMF ($
Windows), , $
Internet Explorer .
$ Microsoft $
2006 . $
, .

219

WMF , $
GDI ($
) Windows. , Es
cape, SETABORTPROC $
. , $
$4000.1
Excel, eBay.
8 2005 fearwall eBay
, $
Microsoft Excel.2 ,
eBay , , $
3, $
.
1
2
3

http://www.securityfocus.com/brief/126
http://www.osvdb.org/blog/?p=71
http://www.theregister.co.uk/2005/12/10/ebay_pulls_excel_vulnerabi+
lity_auction/

FileFuzz
, ,
. , FileFuzz $
, , $
, $
. , , .
FileFuzz ,

.
FileFuzz .
: , , $
, $
. $
$
. ,
$
$. , $
, $
, .
,

220

13. : Windows

.
.


FileFuzz .
, , $
$
, ,
.
, .
FileFuzz
( , , ),
:
;
;
;
;
;
ASCII;
.
, FileFuzz
, ASCII.
: .
, $
. $
, $
. ,
, $
, . , , , $
.
, , $
, ,
.
. $
$
,
. , $
, ,
$ .
, .
, $
, ,
, $

221

. .
, , ,
, ,
$ . $
.
,
, $
.
, ,
. $
,
. $
$
, , $
,
.
FileFuzz ASCII: $
, $
, , $
, ,
. $
, ,
. . ASCII $
*.ini :
name = value
, . , $
A, 10.
Finf
=, . $
Replace 1010. 10 $
,
=. 10 10 100 $
A .



. ,
*.doc, $
Microsoft Word. FileFuzz
CreateProcess() Windows,
FileFuzz ,
, $
, ,
. $
.

222

13. : Windows


, .
$
, . $
,
, $
.
Execute , $
,
.


, $
. ,
, , ,
, , 10 $
? ,
.
,
.
,
, , . $
, ? . $
$ , ,
, $ .
, $
,
Windows Event Viewer. ,
( ) $
( ).
,
.
, $
$
. , $
,
. Windows $

. ,
,
, $
.

,
. $

223

, $
$
. , . $
$
.
, $
.
, $
, .
FileFuzz crash.exe, , $
,
, . $
, , $
FileFuzz , $
crash.exe .


FileFuzz : $
$
.
, $
. $
, $
File Types .
$
, .
, $
targets.xml.
:
<test>
<name>jpg  iexplore.exe</name>
<file>
<fileName>JPG</fileName>
<fileDescription>JPEG Image</fileDescription>
</file>
<source>
<sourceFile>gradient.jpg</sourceFile>
<sourceDir>C:\WINDOWS\Help\Tours\htmlTour\</sourceDir>
</source>
<app>
<appName>iexplore.exe</appName>
<appDescription>Internet Explorer</appDescription>
<appAction>open</appAction>
<appLaunch>"C:\Program Files\Internet Explorer\iexplore.exe"</appLaunch>
<appFlags>{0}</appFlags>
</app>
<target>

224

13. : Windows
<targetDir>c:\fuzz\jpg\</targetDir>
</target>
</test>

$
. FileFuzz $
, ,
$
. $
$
.
XML : $
$
, . , $
,
, . $

.
XML.
XML .
, <test>.
$
$
. $
, $
, . $
,
. ,
, , ,
.


Windows UNIX ,
Windows
, .
, , $
, $
,
.


Microsoft Windows $
. $
, $

225

.
. , $
, $
$ ,
,
, $
. , , $
JPEG. $
, ,
, , $
$
. Windows XP , $
JPEG, Windows Picture and Fax Viewer. $
, , Windows Picture and Fax Viewer,
, $
, , $
Download.com. ?
Windows , $
.

Windows
,
Windows? $
, $
. , $
, ,
. $
, $
.
, $
.
Windows Explorer $
, , $
, . Win$
dows Explorer, , JPEG
Windows Picture and Fax Viewer. , $
, JPEG$
FileFuzz .

Windows Explorer. .
. 13.2 , .
. $
$
, . $
, $

226

13. : Windows

. 13.2.

, , $
:
. ,
,
,
.
, $
JPEG, , $
$
. , $
.
Windows $
.
$
. $
, Windows JPEG,
.
. 13.3, ,
.

227

. 13.3.

$! Windows , $
. , ,
. 13.4, , Windows Picture and Fax Viewer
. $
(DLL), $
rundll32.exe.
Windows Picture and Fax Viewer :
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1

Windows Picture and Fax Viewer


, , , Win$
dows ImageView_Fullscreen.
%1 $
JPEG, $
Windows Picture and Fax Viewer, $
. . $
$
, ,
FileFuzz . $
Application Arguments, $
Execute FileFuzz. , $
, %1, ,
a{0}, , FileFuzz.
: Windows ,
.
, ,
.

228

13. : Windows

. 13.4.

Windows
90 100
Windows Explorer,
, ,
Windows Explorer. , ,
*.cbo. CBO Microsoft Interactive
Training, Windows XP, $
, Dell. $
, Microsoft Interactive Training,
, CBO $
Windows Explorer, Windows Explorer $
CBO
Microsoft Interactive Training . $
?
, Windows Explorer? $
Windows. $
\HKEY_CLASSES_ROOT\.xxx, xxx
. $
, .
HKEY_CLASSES_ROOT\,
. \shell\open\com$
mand , $
, $
.

229

, $
Windows, $
. , $
FileFuzz,
FileFuzz
GDI+ JPEG,
Microsoft MS04$028.

FileFuzz,
, $
, $
. ,
, , $
. $
,
Windows, $
.


, $
.NET.
, , $
. $

C#. C,
$ $
Windows. .NET $
, $
, , $
.NET.

, File$
Fuzz. $
. ,
.
FileFuzz,
www.fuzzing.org.

230

13. : Windows


, FileFuzz $
Windows, , $
ASCII. Read.cs $
, write.cs $
.


FileFuzz , $
.

. , .NET $
. $

ASCII. BinaryReader $
.
ASCII , $
StreamReader. , , $
, , $
. Read:
private BinaryReader brSourceFile;
private StreamReader arSourceFile;
public byte [] sourceArray;
public string sourceString;
private int sourceCount;
private string sourceFile;
public Read(string fileName)
{
sourceFile = fileName;
sourceArray = null;
sourceString = null;
sourceCount = 0;
}

sourceArray $
, , sourceString
ASCII.


, $

. , FileFuzz $
,
:
;
;

231

;
.

Write,

.
BinaryWriter , $

. ASCII, $
, StreamWriter $
.


, $
, Main.cs, $
. , ,
, , ,
,
, , ,
. crash.exe $
.
Process.
executeApp() , $
.
,
, . ,
, crash.exe, , $
, crash.exe, $
, . $
crash.exe, $
crash.exe
rtbLog, $
FileFuzz:
Process proc = new Process();
public Execute(int startFileInput, int finishFileInput, string
targetDirectoryInput, string fileExtensionInput, int applicationTimerInput,
string executeAppNameInput, string executeAppArgsInput)
{
startFile = startFileInput;
finishFile = finishFileInput;
targetDirectory = targetDirectoryInput;
fileExtension = fileExtensionInput;
applicationTimer = applicationTimerInput;
executeAppName = executeAppNameInput;
executeAppArgs = executeAppArgsInput;
procCount = startFile;

232

13. : Windows
}
public void executeApp()
{
bool exceptionFound = false;
//Initialize progress bar
if (this.pbrStart != null)
{
this.pbrStart(startFile, finishFile);
}
while (procCount <= finishFile)
{
proc.StartInfo.CreateNoWindow = true;
proc.StartInfo.UseShellExecute = false;
proc.StartInfo.RedirectStandardOutput = true;
proc.StartInfo.RedirectStandardError = true;
proc.StartInfo.FileName = "crash.exe";
proc.StartInfo.Arguments = executeAppName + " " + applicationTimer + " " +
String.Format(executeAppArgs, @targetDirectory + procCount.ToString() +
fileExtension);
proc.Start();
//Update progress bar
if (this.pbrUpdate != null)
{
this.pbrUpdate(procCount);
}
//Update counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(procCount);
}
proc.WaitForExit();
//Write std output to rich text box log
if (this.rtbLog != null && (proc.ExitCode == 1 || proc.ExitCode == 1))
{
this.rtbLog(proc.StandardOutput.ReadToEnd());
this.rtbLog(proc.StandardError.ReadToEnd());
exceptionFound = true;
}
procCount++;
}
//Clear the progress bar
if (this.pbrStart != null)
{
this.pbrStart(0, 0);
}
//Clear the counter
if (this.tbxUpdate != null)
{
this.tbxUpdate(0);

233

}
if (exceptionFound == false)
this.rtbLog("No excpetions found\n\n");
exceptionFound = false;
}


, FileFuzz
crash.exe, , C, $
, Win$
dows. libdasm, ,
.
, ,
, crash.exe
. FileFuzz
, ,
, , $
, $
. $
, $
$
.
CreateProcess DEBUG_PROCESS:
if (argc < 4)
{
fprintf(stderr, "[!] Usage: crash <path to app> <milliseconds> <arg1>
[arg2 arg3 argn]\n\n");
return 1;
}
// convert wait time from string to integer.
if ((wait_time = atoi(argv[2])) == 0)
{
fprintf(stderr, "[!] Milliseconds argument unrecognized: %s\n\n", argv[2]);
return 1;
}
// create the command line string for the call to CreateProcess().
strcpy(command_line, argv[1]);
for (i = 3; i < argc; i++)
{
strcat(command_line, " ");
strcat(command_line, argv[i]);
}
//
// launch the target process.
//
ret = CreateProcess(NULL,

// target file name.

234

13. : Windows
command_line,
NULL,
NULL,
FALSE,
DEBUG_PROCESS,
NULL,
NULL,
&si,
&pi);

// command line options.


// process attributes.
// thread attributes.
// handles are not inherited.
// debug the target process and all spawned children.
// use our current environment.
// use our current working directory.
// pointer to STARTUPINFO structure.
// pointer to PROCESS_INFORMATION structure.

printf("[*] %s\n", GetCommandLine()); //Print the command line


if (!ret)
{
fprintf(stderr, "[!] CreateProcess() failed: %d\n\n", GetLastError());
return 1;
}

crash.exe
. ,
, , $
. , $

. $
,
: , $
. $
, ,
. $
libdasm, , $
, $
:
while (GetTickCount()  start_time < wait_time)
{
if (WaitForDebugEvent(&dbg, 100))
{
// we are only interested in debug events.
if (dbg.dwDebugEventCode != EXCEPTION_DEBUG_EVENT)
{
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
continue;
}
// get a handle to the offending thread.
if ((thread = OpenThread(THREAD_ALL_ACCESS, FALSE,
dbg.dwThreadId)) == NULL)
{
fprintf(stderr, "[!] OpenThread() failed: %d\n\n", GetLastError());
return 1;
}

235

// get the context of the offending thread.


context.ContextFlags = CONTEXT_FULL;
if (GetThreadContext(thread, &context) == 0)
{
fprintf(stderr, "[!] GetThreadContext() failed: %d\n\n",
GetLastError());
return 1;
}

// examine the exception code.


switch (dbg.u.Exception.ExceptionRecord.ExceptionCode)
{
case EXCEPTION_ACCESS_VIOLATION:
exception = TRUE;
printf("[*] Access Violation\n");
break;
case EXCEPTION_INT_DIVIDE_BY_ZERO:
exception = TRUE;
printf("[*] Divide by Zero\n");
break;
case EXCEPTION_STACK_OVERFLOW:
exception = TRUE;
printf("[*] Stack Overflow\n");
break;
default:
ContinueDebugEvent(dbg.dwProcessId, dbg.dwThreadId, DBG_CONTINUE);
}
// if an exception occurred, print more information.
if (exception)
{
// open a handle to the target process.
if ((process = OpenProcess(PROCESS_ALL_ACCESS, FALSE,
dbg.dwProcessId)) == NULL)
{
fprintf(stderr, "[!] OpenProcess() failed: %d\n\n",
GetLastError());
return 1;
}
// grab some memory at EIP for disassembly.
ReadProcessMemory(process, (void *)context.Eip, &inst_buf, 32, NULL);
// decode the instruction into a string.
get_instruction(&inst, inst_buf, MODE_32);
get_instruction_string(&inst, FORMAT_INTEL, 0,
inst_string,sizeof(inst_string));
// print the exception to screen.
printf("[*] Exception caught at %08x %s\n", context.Eip, inst_string);
printf("[*] EAX:%08x EBX:%08x ECX:%08x EDX:%08x\n", context.Eax,
context.Ebx, context.Ecx, context.Edx);
printf("[*] ESI:%08x EDI:%08x ESP:%08x EBP:%08x\n\n", context.Esi,

236

13. : Windows
context.Edi, context.Esp, context.Ebp);
return 1;
}
}
}

, crash.exe,
$
. ,
$
. ,
, $
, , $
$
, $
, .


, ,
, $
. $

Microsoft MS04$028 $
JPEG (GDI+) .1 $
, ,
.
$
, ,
. $
, $
, $
, .
gdiplus.dll, $
, Microsoft Of$
fice, Internet Explorer Windows Explorer. JPEG $
, .
0xFFFE,
16$ , $
.
FileFuzz ? .

, $
. , ,
1

http://www.microsoft.com/technet/security/Bulletin/MS04+028.mspx

237

Windows.
Windows XP SP1.

11. ? ,
. $
, , $
, . $
631 $

. fuzz, $

:
0000009eh: FF FE 00 06 66 75 7A 7A ; p..fuzz
Breakdown:
FF FE
00 06
66 75 7A 7A

Comment preface
Length of comments in bytes
ASCII value of fuzz

, ,
Windows XP
JPEG. ,
, Windows Picture and Fax Viewer

JPEG (. 13.5):
rundll32.exe C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen %1

FileFuzz .
FileFuzz JPEG, $
File Type,
FileFuzz,
.
Create
JPEG,
JPEG ,
. Create
:
. C:\Program Files\FileFuzz\Attack\test.jpg. $
JPEG.
. C:\fuzz\jpg\. ,
.
(), . 00 x 2.
1 ,
, 0x00
1

http://www.securityfocus.com/archive/1/375204

238

13. : Windows

. 13.5. JPEG+ Create

0x01. ,
2 . $
, ,
0x0000, ,
.
. = 150170.
160.
150 170.

. 13.5.
, Create $
. Execute.
FileFuzz, Windows Pic$
ture and Fax Viewer. Execute
:

239

. rundll32.exe. Windows Picture and Fax


Viewer DLL,
run32.exe, $
DLL.
. C:\WINDOWS\system32\shimgvw.dll,ImageView_Full$
screen {0}. $
Windows Picture and Fax Viewer (shimgvw,dll),
ImageView_FullScreen {0}, $
.
. 150. , .
. 170. , .
. 2000. , Windows
Picture and Fax Viewer ,
.
. 13.6.

. 13.6. FileFuzz Windows Picture and Fax Viewer

240

13. : Windows

, . Execute, , Windows
Picture and Fax Viewer .
21 , 21 $
. , , FileFuzz $
. $
, 160.jpg, $
. ,
160 JPEG,
160.jpg 0x0000:
[*] "crash.exe" rundll32.exe 2000
C:\WINDOWS\system32\shimgvw.dll,ImageView_Fullscreen c:\fuzz\jpg\160.jpg
[*] Access Violation
[*] Exception caught at 70e15599 rep movsd
[*] EAX:fffffffe EBX:00904560 ECX:3ffffe3c EDX:fffffffe
[*] ESI:0090b07e EDI:0090c000 ESP:00aaf428 EBP:00aaf43400


FileFuzz
.
,
, $
. ,
.

.
. , $
,
(,
0xFFFFFFFF). ,
. $

, , . $
, : $
,
, $

.
FileFuzz , $
,
. , $
. , $
Create Intelligent ( ) $
Create,
Create Brute Force ( ). $
; $

241

$
, $
. $
,
, , $
. , , $
$
, FileFuzz, , $
.
$
,
. $
, crash.exe, $
, $
,
, . $
, ,
.
, .
. .

Mi$
crosoft. $
Office, $
. , Microsoft
, $
, $
. , $
$
$
, $
.

14

?
. ?
$.,
,
$, ,
8 2004

,
setuid $
UNIX. , $

, .
$
, $
. ,
, $
$, , , .
, Microsoft Internet Explorer, $
, . $
, $
.
, .

,
. ,
,
$ , $

243

,
. $
,
, .
.

?
, $
, $
,
. , ,
$ $
, .

, $ .
,
$
$ DB9 .

Microsoft
,
, .
,
Y2K , .
Microsoft,
$
.
. $
$
,

.
,
Microsoft, , $
. ,
,
2002 Trustworthy Computing Initiative1,
Microsoft $
.
1

http://www.microsoft.com/mscorp/twc/2007review.mspx

244

14.

Code Red. IIS Web server


Internet Server Application Programming Interface (ISAPI) $
18 2001 .1
, 13 $
2001 . , $
$ HELLO!
Welcome to http://www.worm.com! Hacked By Chinese! ($
! http://www.worm.com!
!). 20 27 ,
DoS$ $
IP$, IP$ whitehouse.gov.
Slammer. SQL$ Slammer
, Microsoft Security Bulletins MS02$
0392 MS02$0613, SQL$ Microsoft Desktop Engi$
ne. 25 2003 , 10 $
75 000 .4 $
(MS02$039)
Microsoft , $
, .
Blaster. 11 2003 18$
5, $
$
(RPC) DCOM Windows XP Windows 2000.6 $
. $
DoS$ SYN$
windowsupdate.com. $
18 , 100 $
.7

,
Microsoft,
.

.
1
2
3
4
5
6
7

http://research.eeye.com/html/advisories/published/AD20010618.html
http://www.microsoft.com/technet/security/bulletin/MS02+039.mspx
http://www.microsoft.com/technet/security/bulletin/MS02+061.mspx
http://en.wikipedia.org/wiki/SQL_slammer_worm
http://en.wikipedia.org/wiki/Blaster_worm
http://www.microsoft.com/technet/security/bulletin/MS03+026.mspx
http://weblog.infoworld.com/techwatch/archives/001035.html

245


. ,
.
, SPIKE1 ProtoFuzz,
16 : $
Windows. SPIKE , $
. $
, $
. ircfuzz2, dhcpfuzz3
Infigo FTPStress Fuzzer4. , $
, .

,
. $
, ,
21 . ,
.

, $
. . 14.1

, .
. $
, , ,
.
, , $$
, . . ,
, .
, $
, Open Systems Interconnection
Basic Reference Model ( OSI)5 (. 14.1). $
, $
,
, $
. ,
. $
, , .
1
2
3
4
5

http://www.immunitysec.com/resources+freesoftware.shtml
http://www.digitaldwarf.be/products/ircfuzz.c
http://www.digitaldwarf.be/products/dhcpfuzz.pl
http://www.infigo.hr/en/in_focus/tools
http://en.wikipedia.org/wiki/Osi_model

246

14.

$
, .
14.1. +

Sendmail $ http://xforce.iss.net/xforce/alerts/
id/216

$ http://archives.neohapsis.com/archi+
MySQL
ves/vulnwatch/2004+q3/0001.html

RPC$


RPC DCOM

$ http://bvlive01.iss.net/issEn/delive+
OpenSSH
ry/xforce/alertdetail.jsp?oid=20584

RealServer ../
DESCRIBE

http://www.zerodayinitiative.com/
$ advisories/ZDI+07+003.html
CA Bright$
Stor ARCserve Backup

http://www.microsoft.com/technet/
security/bulletin/MS03+026.mspx

http://www.service.real.com/help/
faq/security/rootexploit082203.html

. 14.1. OSI

247

2:
(data link
layer) Ethernet 802.11. 2 $
,
. $
2 Mitre, CVE$
2006$3507.1 $
AirPort Mac OS $ $
. $
, , $
. $
:
, . $
$
Mac OS ,
.

Black Hat 2006 $


(Jon Ellch) $
(David Maynor) , $
, Apple
Macbook, .2

, Apple
, $
.
Apple , , $
, ,
, Apple.
Apple ,
CVE$2006$3507, ,
, $
Black Hat.
, . $
: .

1
2

http://cve.mitre.org/cgi+bin/cvename.cgi?name=CVE+2006+3507
http://blog.washingtonpost.com/securityfix/2006/08/hijacking_a_mac+
book_in_60_seco.html

248

14.

3:
3, , IP Internet Control Message
Protocol (ICMP). TCP/
IP ,
. ,
Windows Vista , $
, . $
TCP/IP MS06$032 Vulnerability in
TCP/IP Could Allow Remote Code Execution ( TCP/IP $
).1
$ IP
4. ,

.

4:
4, : , $
TCP UDP. ,
TCP/IP ,
.
winnuke$, out$of$band TCP$
.2 winnuke$ , , $
DoS$ . $
, $
TCP$ TCP$.
API, ,
.

5:
, 5 OSI,
,
. , DCE/RPC (MSRPC Microsoft)
ONC RPC, Sun RPC.
Windows UNIX . $
.
Microsoft Security Bulletin MS04$0113,
Sasser4. $
lsass.exe, $
RPC, $
1
2
3
4

http://www.microsoft.com/technet/security/Bulletin/MS06+032.mspx
http://support.microsoft.com/default.aspx?scid=kb;[LN];168747
http://www.microsoft.com/technet/security/bulletin/MS04+011.mspx
http://en.wikipedia.org/wiki/Sasser_worm

249

Windows. , $
$ DsRolerUpgradeDown$
levelServer .

6:
6, $
, XDR, eXternal Data Representation (
), Sun RPC. $
XDR , ,
xdr_array, $
(Neel Mehta).1 $
.
, ,
.
.

7:
7, , ,
OSI. $
, FTP, SMTP, HTTP,
DNS . $
,
. ,
.
7,
, $
, $
.

$
, 11 . $
, , ,
, $
.
.

,
,
, $
. $ $
1

http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20823

250

14.


$. $
, $
, .
$
. , , , .
, , , $
. $
, $
.
, $
, $
. $
, $ $
, $ .
. $
, , $
, ,
.

,
, $
.
.
, . $
, .
,
FTP, $
. , $
(USER, PASS, CWD . .), $
.
$
PEACH1 . $
,
. $
,
, .
,
, , $
, , . $
, , , $
, $

http://peachfuzz.sourceforge.net/

251

.
,
, , , ,
. , ,
, , $
, . $
, ,
$
.


,
. $
? , $
. , $
( ).
,
, ,
. ,

.
, $
, .
OpenSSH$ sshutuptheo1, GOBBLES,
$
SSH$.
,
SSH. ,
. , $
SSH 1, 2 SSH
. , ,
,
.


, $
$ 24
.
, $
, $
. $
1

http://online.securityfocus.com/data/vulnerabilities/exploits/sshutup+
theo.tar.gz

252

14.

$. , $
,
. ,
.
, , $
. ,
$.
, , , $
$
.
, , , $
, $.
,
$. $
$.

( )
$
.
, .
Ollydbg, Windbg, IDA GDB.
, $
.

( )
, .
,
, $
. .
.
.
, $
. 24.



, $
. $
$
. ,

, .
, $
, $

253

. , $
, , $
DoS. : $
, $
.

,
,
. , $
, $
, , $
. ,
, $
, . $
,
, .

15
:
UNIX

, , .
$.,
,
Dallas Morning News,
10 2000

Microsoft Win$
dows, UNIX $ $
. $ Apache, ,
UNIX, 30 Mic$
rosoft IIS NetCraft.1
UNIX
.
UNIX DNS, $. ,
, , BIND (Berkeley Internet Name
Domain) DNS$, $
$. ,
, ,
, .
UNIX
. $

http://news.netcraft.com/archives/2007/02/23/march_2007_web_server_
survey.html

SPIKE

255

, SPIKE,
, $
. $
, $
$
SPIKE.

SPIKE
SPIKE
, : , $
$,
.



:
$ .
$ ,
$.
$ ,
, .
, No$
vell NetMail1, , $

. , Net$
Mail Networked Messaging Application Protocol (NMAP). NMAP
Nmap2, $
. NetMail NMAP? $
, , , Novell $
.
NMAP Networked Messaging Application
Protocol ( ).
IP$, IANA 689, $
NIMS$.
NDS eDirectory NIMS$, $
,
, . $
$
NMAP $

1
2

http://www.novell.com/products/netmail/
http://insecure.org/nmap/

256

15. : UNIX

. NMAP
RFC NIMS.1
NMAP Novell
TCP.
. , $
.
$
, . $
, , $
, , ,
, .
Novell 90$ NetMail $$
2, $
. $
, Novell.
, , $
( $ ). $
, $
. NMAP.


NMAP SPIKE, , ,
. $
. ,
NMAP . $
, .
,
.
. Google , $
. , $
Wireshark ($
Ethereal). Wireshark Subversion, $
epan\dissectors3, , .
, ,
NMAP , , $
$ . $
, $
. , , NMAP $
TCP$ 689,

1
2
3

http://support.novell.com/techcenter/articles/ana20000303.html
http://download.novell.com/index.jsp
http://anonsvn.wireshark.org/wireshark/trunk/

SPIKE

257

Microsoft TCPView1 ( Sys Inter$


nals). TCPView ,
nmapd.exe TCP 689. $
TCP netcat2 $
Windows telnet. ,
HELP , , ,
.
. $
, nmapd.exe
IDA Pro. Shift+F12
, . 15.1. , $
, , $
, ASCII$ 1000.
, ,
, 1000.
, NMAP, , $
.

. 15.1. nmapd.exe

1
2

http://www.microsoft.com/technet/sysinternals/Networking/TcpView.mspx
http://www.vulnwatch.org/netcat/

258

15. : UNIX

,
.
$
, :
<argument>. . ,
.
[argument]. .
{CONSTANT1|CONSTANT2|CONSTANT3}. ; $
. $
|.
,
.
. $
. , PASS :
PASS {SYS | USER <Username>} <Password>

, $
SYS USER. Username $
USER, , $
USER. SYS, User
name . , Password
. PASS, ,
, , , . $
, .
,
, $
.

. ,

( ) $
, , .
,
, , $
, , $
.
, .
, . $
, , .
, USER,
PASS, FTP.
PASS. $
NMAP$ SYS $
PASS USER.

SPIKE 101

259

$
IDA, $
.
ASCII, +
. , .
+.

( ),
. , $
IDA.
NMAP, $
SPIKE NMAP$.

SPIKE 101
SPIKE, ,
21 . $
.
SPIKE ,
SPIKE
TCP.


SPIKE
. $
, , . .
.
, $
;
$
, $
. ,
ASCII, 64 000 $
A. $
,
. , $
. ,
XDR$ .

TCP
, ,
TCP. line_send_tcp.c,
SPIKE. , $
SPIKE. SPIKE
,

260

15. : UNIX

. $
. $
, SPIKE
.
, ,
SPIKE API.
, , $
, , , :
s_string(char * instring). SPIKE $
. .
s_string_variable(unsigned char *variable). SPIKE $
.
.
s_binary(char * instring). SPIKE .
.
s_xdr_string(unsigned char *astring). SPIKE
XDR.
. .
s_int_variable(int defaultvalue, int type). SPIKE
.
s_int_variable() $
:
Binary Big Endian. (Most signifi$
cant bit, MSB), 4 .
ASCII. ASCII.
One byte. .
Binary Little Endian Half Word.
(Least significant bit, LSB), 2 .
Binary Big Endian Half Word. MSB, 2 .
Zero X ASCII Hex. ASCII $
0x.
ASCII Hex. ASCII.
ASCII Unsigned. ASCII.
Intel Endian Word. LSB, 4 .
SPIKE $
C,
. SPIKE/SPIKE/include/listener.h
:
#define
#define
#define
#define

BINARYBIGENDIAN 1
ASCII
2
ONEBYTE
3
BINARYLITTLEENDIANHALFWORD 4

261


#define
#define
#define
#define
#define

BINARYBIGENDIANHALFWORD
ZEROXASCIIHEX
ASCIIHEX
ASCIIUNSIGNED
INTELENDIANWORD

5
6
7
8
9

SPIKE $
NMAP$.
SPIKE .


, SPIKE $
$
.
. $
, , , $

. ,
.
,
. s_block_start() s_block_end()
$
:
int s_block_start(char *blockname)
int s_block_end(char * blockname)


. ,
, $
blocksize. ,
, . , $
blocksizes , , $
blocksizes. ,
,
.
blocksizes, SPIKE:
s_blocksize_signed_string_variable(char * instring, int size)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)
s_binary_block_size_word_bigendian(char *blockname)
s_binary_block_size_word_bigendian_variable(char *blockname)
s_binary_block_size_halfword_bigendian(char * blockname)
s_binary_block_size_halfword_bigendian_variable(char *blockname)
s_binary_block_size_byte(char * blockname)
s_binary_block_size_byte_variable(char * blockname)
s_binary_block_size_byte_plus(char * blockname, long plus)
s_binary_block_size_word_bigendian_plussome(char *blockname, long some)

262

15. : UNIX
s_binary_block_size_intel_halfword(char *blockname)
s_binary_block_size_intel_halfword_variable(char *blockname)
s_binary_block_size_intel_halfword_plus_variable(char *blockname,long plus)
s_binary_block_size_intel_halfword_plus(char *blockname,long plus)
s_binary_block_size_byte_mult(char * blockname, float mult)
s_binary_block_size_halfword_bigendian_mult(char * blockname, float mult)
s_binary_block_size_word_bigendian_mult(char *blockname, float mult)
s_binary_block_size_intel_word(char *blockname)
s_binary_block_size_intel_word_variable(char *blockname)
s_binary_block_size_intel_word_plus(char *blockname,long some)
s_binary_block_size_word_intel_mult_plus(char *blockname, long some,
float mult)
s_binary_block_size_intel_halfword_mult(char *blockname,float mult)
s_blocksize_unsigned_string_variable(char * instring, int size)
s_blocksize_asciihex_variable(char * blockname)

SPIKE
SPIKE , ,
API ,
. $
$
. SPIKE $
SPIKE .


SPIKE $
:
HTTP
Microsoft RPC
X11
Citrix
Sun RPC
$
SPIKE. , $
,
.


SPIKE ,
SPIKE. :
CIFS
FTP
H.323

SPIKE NMAP

263

IMAP
Oracle
Microsoft SQL
PPTP
SMTP
SSL
POP3


, SPIKE , $
. :
() TCP$;
TCP/UDP$;
TCP$.

SPIKE NMAP
NetMail, SPIKE,
, $
HELP IDA Pro.

. $

:
s_string_variable("PASS");
s_string("");
s_string_variable("USER");
s_string(" ");
s_string_variable("devel_user");
s_string(" ");
s_string_variable("secretpassword");
s_string("\r\n");
s_string("QCREA ");
s_string_variable("test");
s_string("\r\n");
s_string("CREA ");
s_string_variable("inbox");
s_string("\r\n");
s_string("MBOX ");
s_string_variable("test");
s_string("\r\n");
s_string("LIST ");

264

15. : UNIX
s_string_variable("0");
s_string("\r\n");
s_string("GINFO ");
s_string_variable("0");
s_string(" ");
s_string_variable("test");
s_string("\r\n");
s_string("SEARCH BODY ");
s_string_variable("test");
s_string("\r\n");
s_string("DFLG ");
s_string_variable("0");
s_string(" ");
s_string_variable("SEEN");
s_string("\r\n");
s_string("CSCREA ");
s_string_variable("test");
s_string("\r\n");
s_string("CSOPEN ");
s_string_variable("test");
s_string("\r\n");
s_string("CSFIND ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string("\r\n");
s_string("BRAW ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string(" ");
s_string_variable("0");
s_string("\r\n");

NMAP
SPIKE .
TCP$
SPIKE nmap.spk $
:
./line_send_tcp 192.168.1.2 689 nmap.spk 0 0

$
, ! NMAP
OllyDbg . 15.2.

SPIKE NMAP

265

. 15.2. nmapd.exe

. 15.2 $
. EBP ( ), EBX, ESI, EDI $
EIP ( ) $
0x41 ASCII.
, , , $
. $
, $ ,
0x41414141. $
,
. ,
, , $
, .
.
SPIKE : SPIKE , $
. , $
SPIKE, ,
NetMail NMAP. $ $
, ,
SPIKE . $

266

15. : UNIX

, ,
SPIKE, NMAP.
, NMAP $
SPIKE :
snip
Fuzzing Variable 5:1
Read first line
Variablesize= 5004
Fuzzing Variable 5:2
Couldnt tcp connect to target
Segmentation fault
snip

,
, NMAP. $

. NMAP $
. SPIKE , ,
. , , ,
.
, , $
SPIKE Fuzzing Variable
5:1. ,
5. $
, , 1. ,
5, $
SPIKE , variable,
0. CREA, $
. , $
1
CREA.
. ,
. $
printf() line_send_tcp.c,
, $
. , ,
CREA <longstring>.
. $
$
CREA. : $
. , $
, $
.
NMAP, SPIKE ,
CREA, $
.

267

, $
$
. NMAP $
. $
SPIKE, $
NMAP. , ,
$
. $
. , $
. NMAP $
.

16
:
Windows

, +,
,
.
$.,
,
, ,
10 2001

,
UNIX,
Microsoft Windows,
. ,
Windows, $
. , , Slammer1,
Microsoft
SQL, Windows. $
$
Microsoft MS02$0392 24 2002 , Slammer
25 2003 . $
;
.3
1
2
3

http://www.cert.org/advisories/CA+2003+04.html
http://www.microsoft.com/technet/security/bulletin/MS02+039.mspx
http://pedram.openrce.org/__research/slammer/slammer.txt

269

,
, $
,
.
, Slammer $
,
.1 , Win$
dows .

SPIKE UNIX,
Novell NetMail NMAP.

, ,
Windows .
ProtoFuzz
,

. .

,
,
.
. $
, . $
, ProtoFuzz $
,
. .


, $
, .
:
. PROTOS Test Suite2, $
Codenomicon3 $
, .
, $
$
, , .

1
2
3

http://isc.sans.org/portreport.html?sort=targets; http://atlas.arbor.net/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.codenomicon.com/products/

270

16. : Windows

. ,
SPIKE
, $
.
.
. , $
:
.

, $
,
, $
,
.
, $
. $
,
, , $
. $
ProtoFuzz.

, ; $
. ProtoFuzz $
$ . $
,
,
$

.


$
, , ProtoFuzz $
.
ProtoFuzz, $
$
, . $

.


, ,
ProtoFuzz
. $
, .
, $

271

.
,
, $
, $
. $
, Wireshark,
. . 16.1
TCP, Wireshark.

. 16.1. Wireshark AIM,

Wireshark ,
. $
. , $
. $
. , Wire$
shark AOL Instant Messenger, $
TCP. ,

ASCII .

272

16. : Windows


, $
,
.
, $
$
.
. ,

, ProtoFuzz $
, $
. :
[XX] . , $
, $
. , $
256 , (2 ) $
65 536 .
<XX> . $
$

(Strings.txt). $
,
.
TCP,
,
:
00 0C F1 A4 83 57 00 13 49 25 D5 72 08 00 45 00 00 28<B0 3B>00 00 FE 06
89 40 C0 A8 01 01 C0 A8 01 02 08 A6 0B 35 14 9E E1 9F 9F 33 69 E5 50 11
10 00 09 4E 00 00 01 00 5E 00 00[16]



.
,
, IP$ MAC$ . $

RFC. HttpRequest
.NET. ,
URL, HTTP, $
Ethernet, TCP IP . $
,
, , $
, $
RFC. , $

273

,
, , ,
, .


Proto$
Fuzz, $
.

, $
$
. , $
, , $
. ,
, , , $
, , .


, $
, $
. $
$
, .
, $ $
,
, $ $
. ,
. $
,
. ,
.


,
, $
. , , , $
$
. , $
.
,
Performance Logs and Alerts System Monitor, $
Microsoft Management, $
.

274

16. : Windows


.
, , ,
, $ $
. $
. , $
, , $
.


$
. Metro Packet Library1,
ProtoFuzz, ndisprot.inf
NDIS ( ), $
Microsoft .
NDIS $
, $
Ethernet. ProtoFuzz
; , $
net start ndisprot. $
, $
, ,
. Metro
, , .

.
, $
, $, $
. ,
, ProtoFuzz $
:
. ProtoFuzz
. $
, $

.
. ProtoFuzz
.


.
1

http://sourceforge.net/projects/dotmetro/

275

. $
, $
. ProtoFuzz $
, Ethernet $
TCP/UDP.

, ProtoFuzz,
$
. , $
Windows, $
, , $
.


FileFuzz,
Windows , $
, C# Mic$
rosoft .NET Framework. .NET
$
, , $
, ,
. $
.NET , $
.NET Framework. $
, .NET,
, $
.



$
. : $
, . , ,
, $ , $
,
.
, ProtoFuzz Win$
dows, . $
Microsoft Windows
WinPcap1, , $
, (Piero Viano) $
libpcap Windows . WinPcap

http://www.winpcap.org/

276

16. : Windows

, $
.
,
, Wireshark (
Ethereal) Core Impact.1 $ WinPcap $
100 , $
, ,
!
WinPcap ProtoFuzz,
C#
. WinPcap
C, $
WinPcap , $
C#, , $
WinPcap. $
PacketX2, COM, $
WinPcap, $
, .
.
,
Metro Packet Library.
, WinPcap, # $
; $

. Metro $
. , $
$
, Ethernet, TCP, UDP, ICMP, IPv4 $
(ARP), , $
,
. , ProtoFuzz,
,
, Metro ,
,
.

. , $
ProtoFuzz $ www.fuzzing.org.
,
.

1
2

http://www.coresecurity.com/products/coreimpact/index.php
http://www.beesync.com/packetx/index.html

277


ProtoFuzz , $
. $
, , $

. $
, , $

. , Metro ,
, $
:
private const string DRIVER_NAME = @"\\.\ndisprot";
NdisProtocolDriverInterface driver = new NdisProtocolDriverInterface();
try
{
driver.OpenDevice (DRIVER_NAME);
}
catch (SystemException ex)
{
string error = ex.Message;
error += "\n";
error += "Please ensure that you have correctly installed the " +
DRIVER_NAME + " device driver. ";
error += "Also, make sure it has been started. ";
error += "You can start the driver by typing \"net start " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" at a command prompt. ";
error += "To stop it again, type \"net stop " +
DRIVER_NAME.Substring(DRIVER_NAME.LastIndexOf("\\") + 1) +
"\" in a command prompt. ";
error += "\n";
error += "Press 'OK' to continue... ";
MessageBox.Show(error, "Error, MessageBoxButtons.OK,
MessageBoxIcon.Error);
return;
}
foreach (NetworkAdapter adapter in driver.Adapters)
{
cbxAdapters.Items.Add(adapter.AdapterName);
if (cbxAdapters.Items.Count > 0)
cbxAdapters.SelectedIndex = 0;
}

NdisProtocolDriverInterface, $
OpenDevice() ndis
prot,
. , SystemException $
.

278

16. : Windows

Network
Adapter, $
. foreach ,
Adapter
Name .


, $
:
try
{
maxPackets = Convert.ToInt32(tbxPackets.Text);
capturedPackets = new byte[maxPackets][];
driver.BindAdapter(driver.Adapters[cbxAdapters.SelectedIndex]);
ThreadStart packets = new ThreadStart(capturePacket);
captureThread = new Thread(packets);
captureThread.Start();
}
catch (IndexOutOfRangeException ex)
{
MessageBox.Show(ex.Message +
"\nYou must select a valid network adapter.",
"Error", MessageBoxButtons.OK, MessageBoxIcon.Error);
}

(capturedPackets), $
, , , $
. $
BindAdapter(),
NdisProtocolDriverInterface (driver).
capturePacket . $
, $
:
private void capturePacket()
{
while (packetCount < maxPackets)
{
byte[] packet = driver.RecievePacket();
capturedPackets[packetCount] = packet;
packetCount++;
}
}

$
ReceivePacket().
capturedPackets.

279


, $
. $
, Wireshark, $
,
TreeView
RichTextBox. $
,
. $
,
,
TreeView. ProtoFuzz
. 16.2.

. 16.2. ProtoFuzz

280

16. : Windows

TreeView
. , TreeView, packet
TvwDecode(),
: Ethernet, TCP, UDP, IP, ARP ICMP. $
, , $
Ethernet:
Ethernet802_3 ethernet = new Ethernet802_3(capPacket);
strSourceMacAddress = ethernet.SourceMACAddress.ToString();
strDestMacAddress = ethernet.DestinationMACAddress.ToString();
strEthernet = "Ethernet II, Src: " + strSourceMacAddress +
", Dst: " + strDestMacAddress;
strSrcMac = "Source: " + strSourceMacAddress;
strDstMac = "Destination: " + strDestMacAddress;
strEthernetType = "Type: " + ethernet.NetworkProtocol.ToString();
strData = "Data: " + ethernet.Data.ToString();
TreeNode
TreeNode
TreeNode
TreeNode
TreeNode

nodeEthernet = tvwDecode.Nodes.Add(strEthernet);
nodeEthernetDstMac = nodeEthernet.Nodes.Add(strDstMac);
nodeEthernetSrcMac = nodeEthernet.Nodes.Add(strSrcMac);
nodeType = nodeEthernet.Nodes.Add(strEthernetType);
nodeData = nodeEthernet.Nodes.Add(strData);

, Ethernet802_3 $
capPacket, , ,
TreeView, . $
, $
.
16 :
static string PrintData(byte [] packet)
{
string sData = null;
int nPosition = 0, nColumns = 16;
for (int i = 0; i < packet.Length; i++)
{
if (nPosition >= nColumns)
{
nPosition = 1;
sData += "\n";
}
else
nPosition++;
byte nByte = (byte) packet.GetValue(i);
if (nByte < 16)
sData += "0";
sData += nByte.ToString("X", oCulture.NumberFormat) + " ";
}
sData += "\n";

281

return (sData);
}


,
([]) ,
(<>) .
$
. $
.


$
, $
. .NET
Framework ToString("X")
,
$
.1 HexEncoding, $
$
$
C# www.codeproject.com.


, , $
, . ProtoFuzz ,
, $
. ,
, , $
, , . $
SMTP, RCPT
TO, :
220 smtp.example.com ESMTP
HELO mail.heaven.org
250 smtp.example.com Hello smtp.example.com
MAIL FROM:god@heaven.org
250 2.1.0 god@heaven.org... Sender ok
RCPT TO:[Ax1000]


SMTP. $
TCP HELO, MAIL FROM
RCPT TO, .
1

http://www.codeproject.com/csharp/hexencoding.asp

282

16. : Windows

, , $
RCPT TO ,
. $
SPIKE, $
, $
.
ProtoFuzz , $
,
. ,
$
, ,
.
, $
.
Mercury LoadRunner
HewlettPackard, Zero Day Ini$
tiative, TippingPoint,
.1 , $
TCP 54345, .
,
, , $
. , , , $
; $
, . $
, $
server_ip_name.
, ProtoFuzz
, server_ip_name $
.
, Mercury LoadRunner $
, $
, , , . $
,
ASCII , , $
server_ip_name, .
0070
0080
0090
00a0

2b
65
30
69

5b
72
00
70

b6
63
00
5f

00
75
00
6e

00
72
00
61

05
79
05
6d

b2
32
88
65

00 00 00 07 00 00 00 12 6d
3b 31 33 30 34 3b 31 33 30
28 2d 73 65 72 76 65 72 5f
3d

+[...... .......m
ercury2; 1304;130
0......( server_
ip_name=

, ser
ver_ip_name, .
(<>).

http://www.zerodayinitiative.com/advisories/ZDI+07+007.html

283

ProtoFuzz , $
, Strings.txt. $
,
.
Strings.txt.
, ,
. Magentproc.exe
,
TCP 54345, $
. , OllyDbg
:
Registers
EAX 00000000
ECX 41414141
EDX 00C20658
EBX 00E263BC
ESP 00DCE7F0
EBP 41414141
ESI 00E2549C
EDI 00661221 two_way_.00661221
EIP 41414141
Stack
00DCE7F0
00DCE7F4
00DCE7F8
00DCE7FC
00DCE800
00DCE804
00DCE808
00DCE80C
00DCE810
00DCE814

00000000
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141
41414141

, NetMail
, , $
. , $
, , ,
.


ProtoFuzz ,
.
, $

. Proto$
Fuzz, .

284

16. : Windows

ProtoFuzz
.
,
, $
.
, , $
. $
() $
, . ProtoFuzz
,
. ProtoFuzz $
, $
, $

.
$
, $ $
.
ProtoFuzz $
.
, .

, Proto$
Fuzz
. ,
$
, $
. $
,
, . $
, $
, , ,
, $
. Metro Proto$
Fuzz, .NET Framework
.
ProtoFuzz .

17

:
, , .
$.,
$,
27 2000

$
, $
,
(). $
, $
$
. $
$
,
$.
$ $
$.
, $
, $
,
.
, 2006 $
. , $
$, Microsoft Inter$
net Explorer Mozilla Firefox. $
HTML$, JavaScript, $

286

17. <

, JPG, GIF PNG,


ActiveX. Ac$
tiveX, $
Microsoft Windows, .
,
ActiveX. $
ActiveX COM, 2006 $
. $
ActiveX $
,
ActiveX. , $
$. $
,
.

?
$
HTML$, $
.
HTML, , $
, Java, RSS$, FTP$$
.
, $ $
. Google
.
, $


2006 . .
(MoBB).1 $
, , $
$
. , $
Microsoft Internet Explorer, $
$, Safari, Mozilla, Opera Konqurer.2
$
, $ $
, .
1
2

http://browserfun.blogspot.com/
http://osvdb.org/blog/?p=127

287

$
, MoBB Skywing skape (
Metasploit, . . ) $
$
Internet Exp$
lorer , , $
, $
.1 ,
, $
, MoBB. $
, $ , $

, , , $
$ $
, .
1

http://www.uninformed.org/?v=4&a=5&t=sumry

, .
, $
, .

, , , Fi$
refox Internet
Explorer, , $
. $
, . $ $
, .
,
, $
. ,
, ,
, , $
Internet Explorer, Firefox
. , Internet Explorer ,
, $
. $
Firefox $ $
Internet Explorer. $, Netscape,
Opera, Safari Konqueror, $
, .

288

17. <

$ . $$
, , $
, $
. $$
, $
. $
.

$ ,
,
, .
, :
HTML+. $,
, $,
, ,
$
. , $
HTTPEQUIV META
. $
. Mangleme1,
,
HTML$ $, , ,
HEAD $, :
<META HTTPEQUIV=\"Refresh\" content=\"0;URL=mangle.cgi\">


mangleme mangleme.cgi, , $
$. $
JavaScript $
2000 :
<HTML>
<HEAD>
<SCRIPT LANGUAGE="JavaScript">
<!
var time = null
function move() {
window.location = 'http://localhost/fuzz'
}
//>
</SCRIPT>
</HEAD>
1

http://freshmeat.net/projects/mangleme/

289

<BODY ONLOAD="timer=setTimeout('move()',2000) ">


[Page Content]
</BODY>
</HTML>

. $
$
. , $$
$ ,
. ,
fuzz.html Internet Explorer:
C:\>"C:\Program Files\Internet Explorer\iexplore.exe" C:\temp\fuzz.html

.
, .
,
,
. , $
ActiveX, $
$, .

ActiveX , ,
. COMRaider1, ,
ActiveX, .


, $ $

. ,
. $ $
$, , , $
, . , ,
, HTML.

HTML
, , HTML.
,
,
$ .
CVE$2003$01132,
$
..
Microsoft MS03$0153. (Jouko Pynnnen) $
1
2
3

http://labs.idefense.com/software/fuzzing.php#more_COMRaider
http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2003+0113
http://www.microsoft.com/technet/security/bulletin/MS03+015.mspx

290

17. <

, $ urlmon.dll
'
1 . $
, Internet Explorer 5.x 6.x $
.

HTML
HTML$
. $ $
, HTML, XML XHTML,
$ HTML.
HTML , $
.
, $,
, $ $
, , $
.
, , $
.
HTML .
HTML, ,
$, $
$
(DTD). DTD, ,
, $
HTML 4.01:
<!DOCTYPE html PUBLIC "//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/
html4/strict.dtd">

HTML, , $
. $
.
, $
. HTML $
:
<font color="red">Fuzz</font>

color font,
Fuzz . , $
, , HTML$
. $
HTML$,
,
HTML.
1

http://downloads.securityfocus.com/vulnerabilities/exploits/urlmon+ex.pl

291

Mangleme
$ HTML,
CVE$2004$10501, $
Microsoft MS04$040.2 $
mangleme ,
SRC NAME IFRAME, FRAME EMBED
. $
3 . , $
HTML $, DOM$
Hanoi4 Hamachi5, . . .

XML
XML , $
(SGML),
HTTP. XML $
, RSS, $
(AVDL), $
(SGL) . . HMTL, $
XML
. , $
$
, $
. (VML)
XML, .
, Internet Explorer
Outlook,
VML. 19 2006 Microsoft $
9255686, $
$
(vgx.dll), $
.
Mi$
crosoft .7 $
2007
.8

1
2
3

4
5
6
7
8

http://cve.mitre.org/cgi+bin/cvename.cgi?name=CAN+2004+1050
http://www.microsoft.com/technet/security/bulletin/ms04+040.mspx
http://downloads.securityfocus.com/vulnerabilities/exploits/InternetExploit+
er.txt
http://metasploit.com/users/hdm/tools/domhanoi/domhanoi.html
http://metasploit.com/users/hdm/tools/hamachi/hamachi.html
http://www.microsoft.com/technet/security/advisory/925568.mspx
http://www.microsoft.com/technet/security/Bulletin/MS06+055.mspx
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=462

292

17. <

ActiveX
ActiveX
Microsoft, Microsoft COM, $
.1 $
ActiveX
, $$
.
ActiveX , ,
, $
Internet Explorer Windows.
, $.
ActiveX ;
, , $
, .
$
ActiveX, Windows
. $

$, $
, $$
.2 , $
ActiveX $
, ,
,
$.
COMRaider , $
, $
ActiveX .
, ActiveX,
, ,
$,
. COMRaider $
Acti$
veX .
ActiveX .
$
ActiveX. COMRaider $
, , $
. COMRaider
,
. . 17.1 , $
COMRaider
1
2

http://en.wikipedia.org/wiki/ActiveX_Control
http://msdn.microsoft.com/workshop/components/activex/safety.asp

293

. 17.1. COMRaider

ActiveX, $
.
AxMan1 ActiveX. AxMan $
. . $
ActiveX, 2006 $
.2


CSSDIE3 CSS, . . , ,
;

Opera.4 , background $
1
2
3
4

http://metasploit.com/users/hdm/tools/axman/
http://browserfun.blogspot.com/2006/08/axman+activex+fuzzer.html
http://metasploit.com/users/hdm/tools/see+ess+ess+die/cssdie.html
http://browserfun.blogspot.com/2006/07/mobb+26+opera+css+background.html

294

17. <

DHTML URL $
, .
, CSS, $
, CVE$2005$4089, MS06$0211,

Internet Explorer. ,
@import ,
CSS.
(Matan Gillon) ( hacker.co.il) ,
, $
$ Google Desktop Search (GDS).2
,
Google, , $
Internet Explorer
( GDS)
. CSS $
, $
. , anchor , {color: white}.
CSS
@import, Internet Explorer
CSS, , $
, $
cssText. ,
GDS, $
. Google News
CSS }{. ,
cssText, $
GDS . $
GDS ,
, @import, GDS.


$
$.
, $
JavaScript, , VBScript,
Jscript3 ECMAScript4.
, $
. , ECMAScript $
JavaScript, Jscript JavaScript
1
2
3
4

http://www.microsoft.com/technet/security/Bulletin/MS06+021.mspx
http://www.hacker.co.il/security/ie/css_import.html
http://en.wikipedia.org/wiki/Jscript
http://en.wikipedia.org/wiki/Ecmascript

295

Microsoft. $
$, $
.
, $
, , $
, $
, Ac$
tiveX. ,
. $
, , ,
Internet Explorer JavaScript $
1.

JavaScript:
for (var i in window.alert) { var a = 1; }
JavaScript Firefox, $
(Azafran), , $
$ $
.2 $,
replace(). , $
,
, .


,
, , $
.
,
,
. Java$
Script $
, $
. , $

. , , $
,
. ,
EAX:

1
2

http://browserfun.blogspot.com/2006/07/mobb+25+native+function+iterator.html
http://www.mozilla.org/security/announce/2005/mfsa2005+33.html

296

17. <

MOV EAX, [EAX]


CALL [EAX+4]

EAX ,
$
. $

,
$
. JavaScript $
heap $

. , JavaScript $
NOP $$
,
$. NOP
$
. $
NOD, $
NOD .
$ ( SkyLined) $

Internet Explorer1, 0x0D.
,
. $,
5$ NOP, OR EAX, 0D0D0D0D. $
, , $
. $
, .
OllyDbg Heap Vis2,
. 17.2.3 ,
Internet Explorer
, , $
.
Heap Vis $
.

1
2
3

http://www.milw0rm.com/exploits/930
http://www.openrce.org/downloads/details/1
http://pedram.openrce.org/images/olly_heap_vis/skylined_ie_heap_
fill.gif

297

. 17.2. OllyDbg Heap Vis

500 ,
0x0D0A0020. 0x0D0D0D0D.
Heap Block 0D0A0020..0D12101F
$
0x0D $.
, $
EAX 0x0D0D0D0D. MOV
EAX, [EAX] , EAX $
, , ,
0x0D. , CALL [EAX+4], $
0x0D0D0D11, $
0x0D. $
$
, NOP, ,
$, .
0x0D0D0D0D $
,

298

17. <

. , $
, ,
, $
. ,
0x44444444, , $
, $
,
.
, $
: 0x01010101,
ADD [ECX], EAX, 0x0A0A0A0A, OR CL,
[EDX]. , , $ $
, ECX,
, $ , $
EDX.
0x05050505, ADD EAX, 0x05050505.

.

Flash
, Adobe Flash Player $$
, , $
, ,
$
Flash Player. Flash$ $
.swf ,
$,
$ Flash Player. $
.swf ,
11 , 12 $
: UNIX 13 :
Windows, $
. 2005 eEye $
Macromedia Flash 6 7. $
, $
, , . Flash$
ActionScript, ,
Flash $
.1

http://en.wikipedia.org/wiki/Actionscript

299

ActionScript,
Flash$.
2006 Rapid7 ,
, XML.addRequestHeader() $
HTTP
Flash.1 , ,
HTTP $
HTTP.

URL
URL .
MS06$0422 eEye , $
$
. , URL $
Internet Explorer, $ GZIP
,
, lstrcpynA() URL
2084 , 260 .3 , $
, ,
URL; , , $
Internet Explorer.

, $
$
, $
, , :
DoS (Denial$of$service). $
$ $
,
. , $
,
.
.
, $
$ ,
. $
, .
.
$. $
1
2
3

http://www.rapid7.com/advisories/R7+0026.jsp
http://www.microsoft.com/technet/security/bulletin/ms06+042.mspx
http://research.eeye.com/html/advisories/published/AD20060824.html

300

17. <

1
2
3

, $
, , $
.
. $
,
, $
. , (Albert Puigsech
Galicia) , FTP $
FTP URI, , Internet
Explorer 6.x $
FTP $
.1 , , $
. $
, $
,
. Microsoft MS06$042.
. $ $
, $
. ,
, ,
cookies , $
. , $
. $
GDS, ,
.
. Internet Explorer $
, . $
, , , $
, , , .
, , , ,
. 2005
,
, URL$ $
, Internet Explorer
, , $
.2 , , $
, $
. Microsoft
$
MS05$14.3

http://osvdb.org/displayvuln.php?osvdb_id=12299
http://jouko.iki.fi/adv/zonespoof.html
http://www.microsoft.com/technet/security/bulletin/ms05+014.mspx

301

. ,
$
, , $
.
$
, $
$, $
. , $
, ,
$ $
, . $
, $
.

$, , $
.
, . , $
:
.
Windows, Event Vie$
wer. Internet Explorer 7.0 Internet Exp$
lorer Event Viewer.
Internet Explorer , $
.
, $
, .
. $
, ,
$. $
$
. , ,
, $
, $
.
. $
$ $
, . $
, $
, ,
.

302

17. <

, $
,
, $
.
, . $
, ,
, .
$ $
. $
, $
$.
$.

18
:

.
,
.
$.,
, ,
20 2000

17 $ $
$ . $

,
$
, Mozilla Firefox Microsoft Internet Explorer.
,
ActiveX. Internet
Explorer ActiveX ,
, , $
. Internet Explorer
, Microsoft $
$.
ActiveX, $
ActiveX.


Microsoft COM ,
1990$ $

304

18. <:

. $
,
, COM,
, ,
, . COM , $
$
( ).


COM $
(Dynamic Data Exchange, DDE), , $
Win$
dows. DDE , clip$
book viewer (NetDDE) Microsoft Hearts ( NetDDE). 1991
Microsoft $
(Object Linking and Embedding, OLE). DDE $
, OLE $
. OLE $

(VTBL).
OLE COM, OLE 2, $
OLE, COM, VTBL. 1996 $
ActiveX. , , Microsoft
Distributed COM (DCOM)
COM Common Object Request Broker Architec$
ture1 (CORBA). DCOM RPC$ Distributed Com$
puting Environment/Remote Procedure Calls2 (DCE/RPC).
DCOM COM, $
$
, .
COM COM+,
Windows 2000. COM+

Microsoft Transaction Server Win$
dows 2000. DCOM, COM+ $
,
.


COM , . , $
ActiveX,
1
2

http://en.wikipedia.org/wiki/Corba
http://en.wikipedia.org/wiki/DCE/RPC

305

. $
COM, ,
. COM $
128$ , ID (CLSID).
, COM$ 128$
, ID (IID).
COM$ IStream, IDispatch IObjectSafety. ,
$
IUnknown.
CLSID $
(ProgID). ProgID $
, $
. :
000208D5$0000$0000$C000$000000000046
Excel.Application
CLSID, ProgID,
. , , ProgIDs
.

ActiveX
ActiveX COM, , ,
$. Ja$
va, ActiveX $
$
, . $
ActiveX $
.
ActiveX , , ,
$, $ , $$
, $ .
Microsoft Internet Explorer ,
ActiveX Docu$
ment Object Model (DOM) , $
. $
:
Pure DOM
<object classid = "clsid:F08DF954859211D1B16A00C0F0283628"
id
=" "Slider1"
width = "100"
height = "50">
<param name="BorderStyle" value="1" />
<param name="MousePointer" value="0" />
<param name="Enabled"
value="1" />
<param name="Min"
value="0" />
<param name="Max"
value="10" />

306

18. <:
</object>
Slider1.method(arg, arg, arg)
Outdated Embed
<embed type =
name =
align =
border =
width =
height =
clsid =

"application/xoleobject"
"foo"
"baseline"
"0"
"200"
"300"
"{8E27C92B1264101C8A2F040224009C02}">

foo.method(arg, arg, arg)


Javascript / Jscript
<script type="javascript">
function call_function()
{
obj = new ActiveXObject('AcroPDF.PDF');
obj.property = "value";
obj.method(arg, arg, arg);
}
call_function();
</script>
Visual Basic
<object classid = 'clsid:38EE5CEE4B6211D3854F00A0C9C898E7'
id
= 'target' >
</object>
<script language='vbscript'>
'Wscript.echo typename(target)
'Sub SelectAndActivateButton ( ByVal lButton As Long )
arg1=2147483647
target.property = arg1
target.method arg1
</script>


ActiveX
COM. $
, $

Internet Explorer.
Microsoft COM $
, .
COM $ Microsoft
COM1 ,

http://www.microsoft.com/com/default.mspx

307

MSDN : 1,
.

ActiveX,
COM.


ActiveX . $
, $
ActiveX. COM$
Raider2 Visual Basic $
C++. AxMan3 C++, JavaScript HTML.
,
:
ActiveX.
ActiveX
.
$
.
.
.
,
, Python. ,
. Python $
, $
, Windows API. $
, , , COM,
win32api, win32com, pythoncom win32con. (
Python Win$
dows,
Python programming on win32.4 $
, Py$
thon COM.) . 18.1 18.2 Py$
thonWin$ COM , $
COM$
.

1
2
3
4

http://msdn2.microsoft.com/en+us/library/ms809980.aspx
https://labs.idefense.com/software/fuzzing.php#more_comraider
https://metasploit.com/users/hdm/tools/axman/
http://www.oreilly.com/catalog/pythonwin32/

308

18. <:

. 18.1. PythonWin COM

. 18.2. PythonWin

, $
Microsoft Excel $
Visible:
import win32com.client
xl = win32com.client.Dispatch("Excel.Application")
xl.Visible = 1

309

, ,
ActiveX, .
, , $
COM$, $
$ (http://www.fuzzing.org).

ActiveX
COM,
. COM $
Windows1, HKEY_LOCAL_
MACHINE (HKLM) SOFTWARE\Classes.
API Windows:2
import win32api, win32con
import pythoncom, win32com.client
from win32com.axscript import axscript
try:
classes_key = win32api.RegOpenKey( \
win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes")
except win32api.error:
print "Problem opening key HKLM\\SOFTWARE\\Classes"

$

COM. $
CLSID. CLSID , , $
:
skey_index = 0
clsid_list = []
while True:
try:
skey = win32api.RegEnumKey(classes_key, skey_index)
except win32api.error:
print "End of keys"
break
progid = skey
try:
skey = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Classes\\%s\\CLSID" % progid)
except win32api.error:
print "Couldnt get CLSID key...skipping"
1
2

http://en.wikipedia.org/wiki/Windows_registry
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/sysinfo/
base/registry_functions.asp

310

18. <:
skey_index += 1
continue
try:
clsid = win32api.RegQueryValueEx(skey, None)[0]
except win32api.error:
print "Couldnt get CLSID value...skipping"
skey_index += 1
continue
clsid_list.append((progid, clsid))
skey_index += 1

$
,
COM. COM
, Internet Explorer.
, $
ActiveX , $
. Internet Explorer $
, $
. Internet Ex$
plorer ActiveX,
:1
Windows
.
Windows
.
COM$ IObjectSafety.
Windows Component Categories, $
, $
. : CATID_SafeForScripting
CATID_SafeForInitializing. , $
CLSID Internet Explorer:
def is_safe_for_scripting (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
except win32api.error:
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:

http://msdn.microsoft.com/workshop/components/activex/safety.asp

311


break
# CATID_SafeForScripting
if skey == "{7DD95801988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False
def is_safe_for_init (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_CLASSES_ROOT, \
"CLSID\\%s\\Implemented Categories" % clsid)
except win32api.error:
return False
skey_index = 0
while True:
try:
skey = win32api.RegEnumKey(key, skey_index)
except:
break
# CATID_SafeForInitializing
if skey == "{7DD95802988211CF9FA900AA006C42C4}":
return True
skey_index += 1
return False

, ActiveX
Internet Explorer, $
IObjectSafety. , $
ActiveX IObjectSafety, $
. ,
ActiveX IObjectSafety $
, , Internet Explorer:
def is_iobject_safety (clsid):
try:
unknown = pythoncom.CoCreateInstance(clsid, \
None,
\
pythoncom.CLSCTX_INPROC_SERVER,
\
pythoncom.IID_IUnknown)
except:
return False
try:
objsafe = unknown.QueryInterface(axscript.IID_IObjectSafety)
except:
return False
return True

312

18. <:

Ac$
tiveX, . Microsoft kill
bitting1, CLSID Internet
Explorer HKLM\Software\Microsoft\Internet Explor$
er\ActiveX Compatibility\<CLSID of ActiveX Control>. CLSID,
,
. :
def is_kill_bitted (clsid):
try:
key = win32api.RegOpenKey(win32con.HKEY_LOCAL_MACHINE, \
"SOFTWARE\\Microsoft\\Internet Explorer"
\
"\\ActiveX Compatibility\\%s" % clsid)
except win32api.error:
return False
try:
(compat_flags, typ) = win32api.RegQueryValueEx(key, \
"Compatibility Flags")
except win32api.error:
return False
if typ != win32con.REG_DWORD:
return False
if compat_flags & 0x400:
return True
else:
return False
return False

, Acti$
veX ,
.

, ,
$
, ActiveX . $
, COM,
. ,
. COM
, ,
. $
ActiveX $
, ,
. ,
.
1

http://support.microsoft.com/kb/240797

313

COM ,
VARIANT. VARIANT
: , , , ,
, COM . PythonCOM
,
. . 18.1 $
Python VARIANT.
18.1. PythonCOM VARIANT
Python

VARIANT

Integer

VT_I4

String

VT_BSTR

Float

VT_R8

None

VT_NLL

True/False

VT_BOOL

pythoncom LoadTypeLib() $
COM. ,
COM, $
. , Adobe Acro$
bat PDF, . 18.2. Ac$
tiveX Adobe Acrobat Reader, Internet Explorer
, .
,
, Python, $
VARIANT:
adobe = r"C:\Program Files\Common Files" \
r"\Adobe\Acrobat\ActiveX\AcroPDF.dll"
tlb = pythoncom.LoadTypeLib(adobe)
VTS = {}
for vt in [x for x in pythoncom.__dict__.keys() if x.count("VT_")]:
VTS[eval("pythoncom.%s"%vt)] = vt

VARIANT
, .
, GetTy
peInfoCount(). ,
. 18.2. $
:
for pos in xrange(tlb.GetTypeInfoCount()):
name = tlb.GetDocumentation(pos)[0]
print name

314

18. <:

, Acrobat . $
, . 18.2, IAcroAXDocShim. $
, ,
. . , . $
$

:
info = tlb.GetTypeInfo(2)
attr = info.GetTypeAttr()
print "properties:"
for i in xrange(attr.cVars):
id = info.GetVarDesc(i)[0]
names = info.GetNames(id)
print "\t", names[0]

cVars ( $
), .
. , $
;
:
print "methods:"
for i in xrange(attr.cFuncs):
desc = info.GetFuncDesc(i)
if desc.wFuncFlags:
continue
id
= desc.memid
names = info.GetNames(id)
print "\t%s()" % names[0]
i = 0
for name in names[1:]:
print "\t%s, %s" % (name, VTS[desc.args[i][0]])
i += 1

cFuncs $
, .
, wFuncFlags. ,
() , ,
. GetNames() ,
. $
, , names[1:], $
. , $
GetFuncDesc(), VARIANT $
( ). VARIANT $
,
VARIANT, .

315

IAcroAX$
DocShim ActiveX Adobe Acrobat PDF ActiveX
:
properties:
methods:
src()
LoadFile()
fileName, VT_BSTR
setShowToolbar()
On, VT_BOOL
gotoFirstPage()
gotoLastPage()
gotoNextPage()
gotoPreviousPage()
setCurrentPage()
n, VT_I4
goForwardStack()
goBackwardStack()
setPageMode()
pageMode, VT_BSTR
setLayoutMode()
layoutMode, VT_BSTR
setNamedDest()
namedDest, VT_BSTR
Print()
printWithDialog()
setZoom()
percent, VT_R4
setZoomScroll()
percent, VT_R4
left, VT_R4
top, VT_R4
setView()
viewMode, VT_BSTR
setViewScroll()
viewMode, VT_BSTR
offset, VT_R4
setViewRect()
left, VT_R4
top, VT_R4
width, VT_R4
height, VT_R4
printPages()
from, VT_I4
to, VT_I4
printPagesFit()
from, VT_I4
to, VT_I4
shrinkToFit, VT_BOOL

316

18. <:
printAll()
printAllFit()
shrinkToFit, VT_BOOL
setShowScrollbars()
On, VT_BOOL
GetVersions()
setCurrentHightlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
setCurrentHighlight()
a, VT_I4
b, VT_I4
c, VT_I4
d, VT_I4
postMessage()
strArray, VT_VARIANT
messageHandler()

39 ()
.
. $
$
,
, $
. ,
(VT_I2) (VT_I4).
, ,
0xFFFF (65535), $
0xFFFFFFFF (4294967295).
,
, Internet Explorer $
ActiveX .
.


6
$
. $
.

, , $
, . $

. $

317

ActiveX,
,
Internet Explorer.
, , , WinZip FileView ActiveX
Control Unsafe Method Exposure Vulnerability.1 $
ActiveX ProgID WZFILEVIEW.FileViewCtrl.61 $
, $
$ $
. , ExeCmdForAllSelected
ExeCmdForFolder , ,
,
, $ FTP.
:
, $
. WinZip ,
kill bit.
, , $
, URL $
, , $
WinZip FileView. , $
,
, $ .
.
, $
. $
HTML,
ActiveX;
.
. $
,
Internet Explorer. $
.
Python ActiveX Acrobat PDF
:
adobe = win32com.client.Dispatch("AcroPDF.PDF.1")
print adobe.GetVersions()
adobe.LoadFile("c:\\test.pdf")


Adobe COM, adobe.
. $
GetVersions(),
PDF Acro$

http://www.zerodayinitiative.com/advisories/ZDI+06+040.html

318

18. <:

bat Reader. , $
.
. Python COM
PaiMei1 $
. $
, .
, ,
ActiveX. $
, , $
, .
PaiMei API.
. $
Microsoft, CreateFile()2
CreateProcess()3, ,
ActiveX .
API $
.
, $
.
GetURL(), DownloadFile(), Execute()
. ., , ,
.

COM Microsoft
ActiveX, $
$ Internet Explorer.
Python COM , $
ActiveX,
, , . ,
, $
COM$, $
$ (http://www.fuzzing.org).

1
2

http://www.openrce.org/downloads/details/208/PaiMei
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/fileo/fs/
createfile.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp

19

.
$.,
,
,
19 2001

$
,

. , , $
( ) $
, .
,
, $
, , $
, .

UNIX, Windows.
$
.
Microsoft Windows . $, $
,
Windows, UNIX. $, Windows
API $
. , API$ $
UNIX, ,

320

19.

. ,
, , , .

: ?
$
. 11 $
, 12 : $
UNIX 13 :
Windows $
. 14 , 15 $
: UNIX 16 $
: Windows
$. $
$
,
. , $
.
. $
$
, .
,
, . $
, $
$.
? , $
,
.
,
.
. $
$$
, , $
. $
,
. , $
,
, $ $
.
,
,
.
, . $
.

321


,
Microsoft Windows, $

Windows. $
, , , $
. ,
$
.
Windows 95 Windows
32$
4 . 4
. (0x00000000
0x7FFFFFFF) , (0x80000000
0xFFFFFFFF) . $
3 : 1 ( /3GB boot.ini1): 3 $
1
Oracle.
, , $
.
, , $
. $

$
, $
.
, Windows
. ,
$
4 .

(MMU). $
, $
4 .
. $
4096 (01000) Windows. , $
, RAM ( $
).
( )
RAM.
Windows
.

http://support.microsoft.com/kb/q291988/

322

19.

;
. , $
, , :1
PAGE_EXECUTE ( ). $
,
.
PAGE_EXECUTE_READ ( ).
,
.
PAGE_EXECUTE_READWRITE (, ).
: ,
, .
PAGE_NOACCESS ( ). $
. ,
.
PAGE_READONLY ( ).
. $
. $
( ),
.
PAGE_READWRITE ( ).
. PAGE_READONLY, $
,
$
.
PAGE_GUARD ($
), MSDN2 $
STATUS_GUARD_PAGE_VIOLATION $
,
. PAGE_GUARD
.
. $
PAGE_NOACCESS.
,
, .
, $
. $
. :
Windows 4 $
.

1
2

http://msdn2.microsoft.com/en+us/library/aa366786.aspx
.

323

,
0x00000000 0x7FFFFFFF, .

.
4 $
4096 (0x1000).

.
PAGE_GUARD
.

. 19.1, ,
Windows $
.
,
.

, .
,
. 19.1, , .
, 0x00010000
. , 7 $
, $
, $
. $
, 0x00030000 0x00150000. ,
, ,
malloc() HeapAlloc(). , $
. ,
0x0012F000, .
, $
. , $
.
2 0x00D8D000. 0x00400000
,.exe, $
. $
DLL
kernel32.dll ntdll.dll. DLL $
Microsoft, , $
. , DLL
Portable Executable (PE). , $
. 19.1 $
.
, $
. $

324

19.

0x00000000

0x00010000

0x00030000

0x0012F000

0x00150000

0x00400000

0x00D8D000

0x71AB0000

0x7C800000

KERNEL32.DLL

0x7C900000

NTDLL.DLL

0x7F000000
0x80000000

0xFFFFFFFF

. 19.1. Windows ( )

.1
, $ $
.
1

Microsoft Windows Internals, Fourth Edition, Mark E. Russinovich, David A.


Solomon; Undocumented Windows 2000 Secrets: A Programmers Cookbook,
Sven Schreiber; Undocumented Windows NT, Prasad Dabak, Sandeep Phadke,
Milind Borate.

325

< ?


?
. $

. . $
. 19.2, $
, .

while(1):
accept()
recv()
func1()
unmarshal()
parse()

func2()

...

. 19.2.

$
. ,
,
j recv().
$
. unmarshal() $
,
. , , $
parse(), $
. parse() $
, $
, $
.
,
?
, $
, . $
$
,

326

19.

, . $

, ,
, .
, ,
, $
.

, $
$
. $
, $
; 22
.
.
$
, SMTP, POP HTTP, $
RFC, ,
, . ,
$
, , $
. ,
, $ $
, . , $
, $
.
, ,
? , $
? $
Skype1
. EADS/CRC $
2, $
Skype (SKYPE$SB/2005$003)3. $
, , $
, ? $
.

.
1
2

http://www.skype.com
http://www.ossir.org/windows/supports/2005/2005+11+07/EADS+CCR_Fabri+
ce_Skype.pdf
http://www.skype.com/security/skype+sb+2005+03.html

327

, $
, , $
$
, , $
. ,

, , $
.

:
$
(mutation loop insertion, MLI). MLI , $
, $
parse(). MLI$
mutate() . $
, ,
,
. MLI$ $
$
.
, $
, . 19.3.
, ? $
. $
.
.

while(1):
accept()

recv()
func1()
unmarshal()
parse()

func2()

...
mutate()

. 19.3.

328

19.

,
, , mutate().
, $
. , $
, , $
. 20
: , $
.

+
(snapshot restoration mutation, SRM).
MLI, , $
, $
parse(). , MLI, SRM
. ,
SRM$
. $
, , $
. $
, . 19.4.
, $
. 20 $

while(1):
accept()

recv()
func1()

unmarshal()

snapshot()

restore()

parse()

func2()

...

. 19.4.

329

, $
, . $
, , $
, .
, , $
.


$
. $ $
,

.
. , , $
POP, TCP$ 110. $
(, $
, ):
$ nc mail.example.com 110
+OK Hello there.
user pedram@openrce.org
+OK Password required.
pass xxxxxxxxxxxx
+OK logged in.
list
+OK
1 1673
2 19194
3 10187
... [output truncated]...
.
retr 1
+OK 1673 octets follow.
ReturnPath: <ralph@openrce.org>
DeliveredTo: pedram@openrce.org
[output truncated]
retr AAAAAAAAAAAAAAAAAAAAAAA
ERR Invalid message number. Exiting.

$
RETR, ,

. $
$
$
. ,
4 .

330

19.



.
, $
. MLI$, SRM$
, (
),
. $
,
. $
, , , $
Skype, .

. $
1 $
$
. $
,
, $
. . 19.5.

read string()

pedram
pedramAAAA...
mutate()

parse name()

read_string()

pedram%s%s%s

. 19.5.

MLI parse_name() read_string(). $


parse_name()
.
,
.
1

http://en.wikipedia.org/wiki/Heisenberg_principle

331

, $
, $
.

.
$
, . $
, $
$
.
,
, $
.
.
,
HBGary LLC 1 $
2 Blackhat Security 2003 .
HBGary $
Inspector3. $
,
. , $
, $
.
$
. $
, , $
. , $
, $ http://www.fuzzing.org.

1
2
3

http://www.blackhat.com/presentations/bh+federal+03/bh+fed+03+hoglund.pdf
http://www.blackhat.com/presentations/bh+usa+03/bh+us+03+hoglund.pdf
http://hbgary.com/technology.shtml

20
:

, ,
.
$.,
,
$, ,
8 2004

$
. $
Windows UNIX, , $
, $
Windows. $
, 32$ Windows x86.
, ,
.
, .
$
, .
, , :
http://www.fuzzing.org.
.

, ,
x86 Windows,
. $

333

. , ,
, , , $
, 24
.


19
MLI SRM,
.
MLI ,

. SRM
, $
, $
.
. 20.1 20.2, $

recv()
func1()

unmarshal()

parse()

func2()

...

mutate()

. 20.1.

recv()
unmarshal()

func1()

parse()

func2()

...

. 20.2.

334

20. :

: , $
, , $
.
$
, Windows.
, , ,
.

.
. $
$
. 1 ,
,
(ESP), (ESP) (EBP)
(EAX, EBX, ECX, EDX,
ESI EDI). $

SRM. , , $
Windows $
, .

, $

SRM. $
, ,
MLI.
SRM MLI. ,
SRM,
MLI. MLI,
. $
, $
.


$
Windows,
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/context_str.asp

335

, ,
,
. , $
, C C++, $
, $
.
Perl, Python Ruby.
,
, , , . $
, Python, $
ctypes1 Python, . ctypes
Windows,
C $
Python . $
, , , $
GetCurrentProcessId(), kernel32.dll:
from ctypes import *
# create a convenience shortcut to kernel32.
kernel32 = windll.kernel32
# determine the current process ID.
current_pid = kernel32.GetCurrentProcessId()
print "The current process ID is %d" % current_pid

$
C. ctypes ,
, Python
(. 20.1).
20.1. , C ctypes
ctypes

Python

c_char

c_int

c_long

c_ulong

c_char_p

c_void_p

http://starship.python.net/crew/theller/ctypes/tutorial.html.

http://starship.python.net/crew/theller/ctypes/

336

20. :

$
. $
value.
byref().
, , c_char_p c_void_p, $
.
create_string_buffer().

raw. $
, ReadProcessMemory():
read_buf = create_string_buffer(512)
count
= c_ulong(0)
kernel32.ReadProcessMemory(h_process, \
0xDEADBEEF, \
read_buf, \
512,
\
byref(count))
print "Successfully read %d bytes: " % count.value
print read_buf.raw

ReadProcessMemory() $
, $
; , ; $
, ; ,
, , , ,
, .
$
, $
, :
c_data = c_char_p(data)
length = len(data)
count = c_ulong(0)
kernel32. WriteProcessMemory(h_process, \
0xC0CAC01A, \
c_data,
\
length,
\
by_ref(count))
print "Sucessfully wrote %d bytes: " % count.value

WriteProcessMemory() $
ReadProcessMemory().
,
; ; , $
; , , $
, ,
.

Windows

337

, $
.
, ,
, ,
.

Windows
19
Windows. $
, $ $
Windows, $
.
Windows Windows NT $
,

, . $

: 1, 2 3. $
,
. , , $
.
. $

, $
.
:
pi = PROCESS_INFORMATION()
si = STARTUPINFO()
si.cb = sizeof(si);
kernel32.CreateProcessA(path_to_file,
command_line, \
0,
\
0,
\
0,
\
DEBUG_PROCESS, \
0,
\
0,
\
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_functions.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_events.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_structures.asp

338

20. :
byref(si),
byref(pi))

print "Started process with pid %d" pi.dwProcessId

A CreateProcess: $
Windows Unicode,
ANSI. $
.
ctypes $
. , $
ANSI,
Unicode, MSDN. $
MSDN, , , CreateProcess1, $
: CreateProcessW (Unicode) CreateProcessA
(ANSI). PROCESS_INFORMATION STARTUP_INFO $
CreateProcess $
, , $
(pi.dwProcessId)
(pi.hProcess). $
, ,
DebugActiveProcess():
# attach to the specified process ID.
kernel32. DebugActiveProcess(pid)
# allow detaching on systems that support it.
try:
kernel32.DebugSetProcessKillOnExit(True)
except:
pass

, $
, , $
A W. DebugActiveProcess() $
. DebugActiveProcess()
, , ,
. DebugSetProcessKillOnExit()2 $
Windows XP; $
, ($
, ).
try/except
,
,

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dllproc/
base/createprocess.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugsetprocesskillonexit.asp

Windows

339

, Windows 2000. $
, $
.
( ) $
. ,
. , , $
, $
. $ $
. ,
, . $
. , ,
. $
, , $
. $
:
debugger_active = True
dbg
= DEBUG_EVENT()
continue_status = DBG_CONTINUE
while debugger_active:
ret = kernel32. WaitForDebugEvent(byref(dbg), 100)
# if no debug event occurred, continue.
if not ret:
continue
event_code = dbg.dwDebugEventCode
if event_code == CREATE_PROCESS_DEBUG_EVENT:
# new process created
if event_code == CREATE_THREAD_DEBUG_EVENT:
# new thread created
if event_code == EXIT_PROCESS_DEBUG_EVENT:
# process exited
if event_code == EXIT_THREAD_DEBUG_EVENT:
# thread exited
if event_code == LOAD_DLL_DEBUG_EVENT:
# new DLL loaded
if event_code == UNLOAD_DLL_DEBUG_EVENT:
# DLL unloaded
if event_code == EXCEPTION_DEBUG_EVENT:
# an exception was caught
# continue processing
kernel32.ContinueDebugEvent(dbg.dwProcessId, \
dbg.dwThreadId, \
continue_status)

340

20. :


WaitForDebugEvent()1,
DEBUG_EVENT, , $
, $
. , $
DEBUG_EVENT dwDebug
EventCode. , ,
$
, , $
DLL . $
, ,
, u.Exception.Exception
Record.
ExceptionCode DEBUG_EVENT. MSDN2 $
, $
:
EXCEPTION_ACCESS_VIOLATION. , $
$
.
EXCEPTION_BREAKPOINT. $
.
EXCEPTION_SINGLE_STEP. $
.
EXCEPTION_STACK_OVERFLOW.
. $
;
.

$
. $
ContinueDebugEvent().


$
Windows, $
, ,
ctypes $
Windows. $
:
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/waitfordebugevent.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/exception_record_str.asp

341


?
$
?
$
?
?


?
,
$
. $
: . $
80x86 . $
, $
$, $, $
. $
, $
DR0 DR3 DR7. $
. DR7
, , $
, ,
(, ) . $
$
. , ,
; $
INT3, 0xCC.
$
, . ,
$ ,
. $
,

0xDEADBEEF. $
, ,
ReadProcessMemory, $
. 20.3.
, $
$ .
INT3 $
WriteProcessMemory, (. 20.4).
?
0xCC INT3.

342

20. :

debugger
8B

OxDEADBEEF

8B

OxDEADBEF1

55

OxDEADBEF2

8B

FF

mov edi, edi


push ebp
mov ebp, esp

EC

. 20.3.

debugger
8B

OxDEADBEEF

CC

OxDEADBEFO

FF

OxDEADBEF3

EC

INT3
55

8B

call [ebp75]
in al, dx

. 20.4. INT3

mov edi, edi (0xFF), , $


push ebp (0x55), mov ebp, esp
(0x8B), call [ebp75].
0xEC in al, dx. $
, 0xDEADBEEF, INT3
EXCEPTION_DEBUG_EVENT $
EXCEPTION_BREAKPOINT,
( ?). $
. 20.5.
, $
, . , $

343

debugger
8B

OxDEADBEEF

CC

OxDEADBEFO

FF

OxDEADBEF3

EC

INT3
55

8B

call [ebp75]
in al, dx

EIP

. 20.5. EXCEPTION_BREAKPOINT

debugger
8B

OxDEADBEEF

8B

OxDEADBEFO

55

OxDEADBEF3

8B

FF

mov edi, edi


push ebp

EC

mov ebp, esp

EIP

. 20.6. EIP

$ . ,
(EIP, , $
, )
0xDEADBEF0, 0xDEADBEEF. $ ,
0xDEADBEEF INT3 $
, , EIP 0xDEAD$
BEEF+1. , EIP $
0xDEADBEEF, . 20.6.
0xDEADBEEF ,
. , $
EIP . ,

344

20. :

, $
, (EIP),
.
GetThreadCon
text()1, $
CONTEXT.
CONTEXT Set
ThreadContext()2, $
:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
kernel32.GetThreadContext(h_thread, byref(context))
context.Eip = 1
kernel32.SetThreadContext(h_thread, byref(context))

,
.


?
, $
: ? . $
.
, , . $
, .

. $
, VMWare3,
. $


. $
4 ,
. $
.
$
. , $
1

3
4

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/getthreadcontext.asp
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/setthreadcontext.asp
http://www.vmware.com
Greg Hoglund, Runtime Decompilation, BlackHat Proceedings

345

. $
, ,
. , $
.1 $,
, TH32CS_SNAP
THREAD:
thread_entry = THREADENTRY32()
contexts
= []
snapshot = kernel32.CreateToolhelp32Snapshot( \
TH32CS_SNAPTHREAD,
\
0)

. ,
$
Thread32First(): dwSize
. Thread32
First(), $
:
thread_entry.dwSize = sizeof(thread_entry)
success = kernel32.Thread32First( \
snapshot,
\
byref(thread_entry))

, , $
, (pid) $
.
, $
, , :
while success:
if thread_entry.th32OwnerProcessID == pid:
context = CONTEXT()
context.ContextFlags = CONTEXT_FULL
h_thread = kernel32.OpenThread( \
THREAD_ALL_ACCESS,
\
None,
\
thread_id)
kernel32.GetThreadContext( \
h_thread,
\
byref(context))
contexts.append(context)
kernel32.CloseHandle(h_thread)

http://msdn2.microsoft.com/en+us/library/ms686832.aspx

346

20. :
success = kernel32.Thread32Next( \
snapshot,
\
byref(thread_entry))

, ?,

$
.

. ,
32$ Windows x86
4 . 4 $
(0x00000000x7FFFFFFF).
$
, 4096 .
.

, , , $
, $
. , :
PAGE_READONLY
PAGE_EXECUTE_READ
PAGE_GUARD
PAGE_NOACCESS
, $
, .
$
VirtualQue
ryEx()1,
:
cursor
memory_blocks
read_buf
count
mbi

=
=
=
=
=

0
[]
create_string_buffer(length)
c_ulong(0)
MEMORY_BASIC_INFORMATION()

while cursor < 0xFFFFFFFF:


save_block = True
bytes_read = kernel32.VirtualQueryEx(
h_process,
cursor,
byref(mbi),
sizeof(mbi))

\
\
\
\

http://msdn2.microsoft.com/en+us/library/aa366907.aspx

347


if bytes_read < sizeof(mbi):
break

VirtualQueryEx() ,
, $
.
$
:
if mbi.State != MEM_COMMIT or \
mbi.Type == MEM_IMAGE:
save_block = False
if mbi.Protect & PAGE_READONLY:
save_block = False
if mbi.Protect & PAGE_EXECUTE_READ:
save_block = False
if mbi.Protect & PAGE_GUARD:
save_block = False
if mbi.Protect & PAGE_NOACCESS:
save_block = False

,
,
ReadProcessMemory()1
$
. , ,
, :
if save_block:
kernel32.ReadProcessMemory(
h_process,
mbi.BaseAddress,
read_buf,
mbi.RegionSize,
byref(count))

\
\
\
\
\

memory_blocks.append((mbi, read_buf.raw))
cursor += mbi.RegionSize

, , , . ,
, $
, PAGE_READONLY,
? $
; . $
, ? ,
,

http://msdn2.microsoft.com/en+us/library/ms680553.aspx

348

20. :

.
: $
, $
, , .
, $
$
.


?
,
.
$
. , ,
. $
, $
; , , $
. $
23 .
,
.


?

. $
, , $
. $
:
.

PyDbg,
, , , $
. , , $
( ),
Python PyDbg.1
? , $
. , . $
; , $
, , $ .

http://openrce.org/downloads/details/208/PaiMei

PyDbg,

349

PyDbg
Windows . $
PyDbg :
, ;
, , ;
, ;
, ;
$
( SRM);
;

PyDbg,
PID 123
:
from pydbg import *
from pydbg.defines import *
dbg = new pydbg()
dbg.attach(123)
dbg.debug_event_loop()

, , $
. , $
$
Winsock recv() ,
$
:
from pydbg import *
from pydbg.defines import *
ws2_recv = None
def handler_bp (pydbg, dbg, context):
global ws2_recv
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress
if exception_address == ws2_recv:
print "ws2.recv() called!"
return DBG_CONTINUE
dbg = new pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT, handler_bp)
dbg.attach(123)
ws2_recv = dbg.func_resolve("ws2_32", "recv")
dbg.bp_set(ws2_recv)
dbg.debug_event_loop()

350

20. :

$
. handler_bp(),
. PyDbg.
DEBUG_EVENT1 $
$
. $
, .
, ,
, $
Winsock recv(). , . $
PyDbg DBG_CONTINUE, $
,
PyDbg $
. ,
set_callback(), PyDbg.
,
PyDbg
. $
$
. , func_resolve()
bp_set(). $
recv() Windows ws2_32.dll
. $
. $

recv() Winsock
ws2.recv() $
. , ,
,
.


$
, , ,
.
$ fuzzing.org fuzz_client.exe fuzz_ser$
ver.exe, .
. $
, , $
. $ $
. TCP$ 11427 $
. $
, .
1

http://msdn2.microsoft.com/en+us/library/ms686832.aspx

351

? $ , , $
, $
. :
$ ./fuzz_server.exe
Listening and waiting for client to connect...

, .
IP$ . , $
:
$ ./fuzz_client.exe 192.168.197.1 'sending some data'
connecting....
sending...
sent...

192.168.197.1 $
sending some data ( $ ).
:
client connected.
received 17 bytes.
parsing: sending some data
exiting...

17 ,
. , $
, $
. , ,
TCP, $
, Ethereal1 . 20.7.

. 20.7. + Ethereal
1

http://www.ethereal.com/, Ethereal: A Network Protocol Analyzer.


Wireshark http://
www.wireshark.org.

352

20. :

, , , , $ $
, . ,
, ,
, $
.
.
, $
. ,
, ,
.
, , , $
.
,
( ,
, ). $
fuzz_ser$
ver.exe , .
fuzz_server.exe $
. .
$
? . $
,

? ,

. OllyDbg1, $
Windows, .
OllyDbg, $
, ,
. , , $
, fuzz_server.exe . ,
TCP, fuzz_server.exe OllyDbg

recv() WS2_32.dll. , ,
WS2_32.dll Ctrl+N,
(. 20.8).
recv() F2, .
F9, $
, fuzz_client ,
. OllyDbg $
fuzz_server,
. Alt+F9
.
1

http://www.ollydbg.de

353

. 20.8. OllyDbg WS2_32.recv()

fuzz_server, WS2_32. $
F8 , printf(), $
, $
. , . 20.9,
, fuzz_server
0x0040100F.

. 20.9. OllyDbg

354

20. :

OllyDbg , $
, Ethereal.
0x0040100F $
?
: $
, . ,
. 20.10, $
.
! ,
. $
, , $
0x00401005, , printf(). $
, exiting printf(), , $
fuzz_server, , $
.
. F9, $
0x00401450, $
, . 20.11.
, $
$
ESP+4.
.

. 20.10. OllyDbg

355

. 20.11. OllyDbg

, $

. $
, , $
. $
. Ctrl+9
, F7 F8,
, ,
. 20.12, printf() exiting[el].
printf()
0x004012b7, , fuzz_server $
exiting[el] . ,
, fuzz_server $
, .
, 0x0040100F $
. , 0x00401450 $
. $
.
0x004012b7 ,
printf("exiting[el]"). $
, , . 20.13 $
, .

356

20. :

. 20.12. OllyDbg

recv()
0x0040100F()
0x00401450()

printf(exiting...)

. 20.13.

PyDbg $
$
, .
,

357

$
. PyDbg, $
PyDbg, (
), , $
,
, , $
:
from pydbg import *
from pydbg.defines import *
import time
import random
snapshot_hook
restore_hook
snapshot_taken
hit_count
address

=
=
=
=
=

0x00401450
0x004012B7
False
0
0

dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT,handle_bp)
dbg.set_callback(EXCEPTION_ACCESS_VIOLATION,handle_av)
found_target = False
for (pid, proc_name) in dbg.enumerate_processes():
if proc_name.lower() == "fuzz_server.exe":
found_target = True
break
if found_target:
dbg.attach(pid)
dbg.bp_set(snapshot_hook)
dbg.bp_set(restore_hook)
print "entering debug event loop"
dbg.debug_event_loop()
else:
print "target not found."


.
$
. ,
PyDbg.
$
, : 1) $
, , 2) ,
, $ ($ $
), 3) , .

,
. , $

358

20. :

, $
.
, $
, (
), ( $
).
PyDbg $
http://pedram.redhi+
ve.com/PaiMei/docs/PyDbg/.
def handle_av (pydbg,
exception_record
exception_address
write_violation
violation_address

dbg, context):
= dbg.u.Exception.ExceptionRecord
= exception_record.ExceptionAddress
= exception_record.ExceptionInformation[0]
= exception_record.ExceptionInformation[1]

try:
disasm = pydbg.disasm(exception_address)
except:
disasm = "[UNRESOLVED]"
pass
print "*** ACCESS VIOLATION @%08x %s ***" % \
(exception_address, disasm)
if write_violation:
print "write violation on",
else:
print "read violation on",
print "%08x" % violation_address
try:
print pydbg.dump_context(context, 5, False)
except:
pass
print "terminating debuggee"
pydbg.terminate_process()

$
, OllyDbg.
$
, JIT (just$in$time)1 . $
:
def handle_av (pydbg, dbg, context):
pydbg.detach()
return DBG_CONTINUE
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/debug/
base/debugging_terminology.asp

359

, $
. 20.14.

. 20.14.


JIT$, ,
.
, $
. , $
fuzz_server
, .
PyDbg $
, .
, ,
,
exception_address:
def handle_bp (pydbg, dbg, context):
global snapshot_hook, restore_hook
global snapshot_taken, hit_count, address
exception_address = \
dbg.u.Exception.ExceptionRecord.ExceptionAddress

, , $
. ,
hit_count $
:
if exception_address == snapshot_hook:
hit_count += 1
print "snapshot hook hit #%d\n" % hit_count

snapshot_taken.
fuzz_server , $
, PyDbg process_snapshot().

360

20. :


True:
# if a process snapshot has not yet been
# taken, take one now.
if not snapshot_taken:
start = time.time()
print "taking process snapshot...",
pydbg.process_snapshot()
end = time.time() start
print "done. took %.03f seconds\n" % end
snapshot_taken = True

, if, $
.
.
hit_count, $
,
. .
( , $
), $
virtual_free() PyDbg:
if hit_count >= 1:
if address:
print "freeing last chunk at",
print "%08x" % address
pydbg.virtual_free( \
address,
\
1000,
\
MEM_DECOMMIT)

if hit_count >= 1,
fuzz_server $
virtual_alloc() PyDbg.
. $
? , $
, $
fuzz_server $
. $
:
,
:
print "allocating memory for mutation"
address = pydbg.virtual_alloc( \
None,
\
1000,
\
MEM_COMMIT,
\
PAGE_READWRITE)
print "allocation at %08x\n" % address

361

, $
ASCII
$
. A,
ASCII.
:
print "generating mutant..."
fuzz = A * 750
random_index = random.randint(0, 750)
mutant = fuzz[0:random_index]
mutant += chr(random.randint(32, 126))
mutant += fuzz[random_index:]
mutant += \x00
print done.\n

$
write_process_memory()
PyDbg:
print "writing mutant to target memory"
pydbg.write_process_memory(address, mutant)
print

, $
. , . 20.11
, ,
, 4, $
. :
print "modifying function argument"
pydbg.write_process_memory( \
context.Esp + 4,
\
pydbg.flip_endian(address))
print
print "continuing execution...\n"

,
, if, $
$
.
process_resto
re() PyDbg.
:
if exception_address == restore_hook:
start = time.time()
print "restoring process snapshot...",
pydbg.process_restore()
end = time.time() start
print "done. took %.03f seconds\n" % end

362

20. :
pydbg.bp_set(restore_hook)
return DBG_CONTINUE

$
:
$ ./fuzz_server.exe
Listening and waiting for client to connect...

:
$ ./chapter_20_srm_poc.py
entering debug event loop

:
$ ./fuzz_client.exe 192.168.197.1 sending some data
connecting....
sending...
sent...

,
, $
:
snapshot / mutate hook point hit #1
taking process snapshot... done. took 0.015 seconds

, .
, fuzz_server $
:
received 17 bytes.
parsing: sending some data
exiting...

, $
$
:
restoring process snapshot... done. took 0.000 seconds

fuzz_server
, . $
, hit_count 1,
:
snapshot / mutate hook point hit #2
allocating chunk of memory to hold mutation
memory allocated at 003c0000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant

363

continuing execution...

, $
fuzz_server, .
, fuzz_server

:
parsing:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAA)AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
exiting...

), $
. Fuzz_server $
, , $
. $
,
, . $
, $
, $
, :
continuing execution...
restoring process snapshot... done. took 0.016 seconds
snapshot / mutate hook point hit #265
freeing last chunk at 01930000
allocating chunk of memory to hold mutation
memory allocated at 01940000
generating mutant... done.
writing mutant into target memory space
modifying function argument to point to mutant
continuing execution...
*** ACCESS VIOLATION @41414141 [UNRESOLVED] ***
read violation on 41414141
terminating debuggee

265$ SRM$
, , $

364

20. :

. @41414141 ,
0x41414141,
,
. 0x41 $
ASCII A. , $
, $
. ,
, , $
, .
, , $
$
( $
).

$
.


. ,

. ,
$
.
, , .
, $
, , $
$
, . PyDbg $
,
. http://www.fuzzing.org
. ,
, , $
,

.

, , ,
.
24, $

.

III

21.
22.
23.
24.

21

,
, ,
: ,
.
.
$.,
, ,
17 2002

, $

.
; $
, $
, . , $
SMTP$ $
, Microsoft Exchange,
Sendmail, qmail . .
, $
, ,
, .
,
, $
$
.

.

368

21.

$
, SPIKE,
, (
, ).

, Autodafej GPF. $
, , $

$
, .
$
. ,
, $
, .

?
, $
, C, Python
Ruby. , $
$
. , $
Peach Python, dfuz $
( ,
).
, . $
;
. ,
,
.
$
.
,
, $
, $
. $
,
,
.
$
. $
TLV (type, length, value , , $
), ASN.1.1 :

http://en.wikipedia.org/wiki/Asn.1

369

, $
, 0x01 0x02 $
. , $
. ,
, , ;
. .

01

00 07

F U Z Z I N G

(Value)

. $
$
, $
. , $
,
(CRC, Calculat$
ing Cyclic Redundancy Check)1 $
. CRC

. PNG, $
, CRC, $
, CRC
. $
, $
, CRC $
. $

(DNP3, Distributed Network Protocol)2,

(SCADA, Supervisory Control and Data Acquisition). $
250$ ,
CRC$16! ,
: IP$ ,
,
.
, , $
$
.

1
2

http://en.wikipedia.org/wiki/Cyclic_redundancy_check
http://www.dnp.org/

370

21.

,
.
.
, ,
. $
$
(%n%n%n%n) (../../../).

, ,
;
.
; $
24 $
. $
,
.
. $

, $
, .
$
, $
. $
,
.
$
$
: 0x41 0x42, \x41 \x42, 4142 . .
(. 23 ) $
. $

, .
, $
$
$
.
$
, .
,

,
$
.

371


$
, , $
.
, , , $
. $
$
.

Antiparser1
Antiparser , Python
$
, .
, $
,
Python. $
.
antiparser; $
. antiparser ,
.
:
apChar() C;
apCString() , . . , $
;
apKeywords() , $
, ;
apLong() 32$ ;
apShort() 16$ ;
apString() .
apKey
words(). ,
,
, , . $
[ ] [] [ ] [$
].
Antiparser evilftpclient.py, $
apKeywords(). , $
,
. Python $
evilftpclient.py, $
1

http://antiparser.sourceforge.net/

372

21.

FTP$ $
FTP. $
, , , $
FTP$.
.
from antiparser import *
CMDLIST = ['ABOR',
'XCWD',
'MACB',
'PASV',
'RETR',
'SITE',
'SYST',

'ALLO',
'DELE',
'MODE',
'PORT',
'RMD',
'SIZE',
'TYPE',

'APPE',
'HELP',
'MTMD',
'PWD',
'XRMD',
'STAT',
'USER']

'CDUP',
'LIST',
'NLST',
'XPWD',
'REST',
'STOR',

'XCUP',
'MKD',
'NOOP',
'QUIT',
'RNFR',
'STRU',

'CWD',
'XMKD',
'PASS',
'REIN',
'RNTO',
'STOU',

SEPARATOR = " "


TERMINATOR = "\r\n"
for cmd in CMDLIST:
ap = antiparser()
cmdkw = apKeywords()
cmdkw.setKeywords([cmd])
cmdkw.setSeparator(SEPARATOR)
cmdkw.setTerminator(TERMINATOR)
cmdkw.setContent(r"%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n")
cmdkw.setMode('incremental')
cmdkw.setMaxSize(65536)
ap.append(cmdkw)
sock = apSocket()
sock.connect(HOST, PORT)
# print FTP daemon banner
print sock.recv(1024)
# send fuzz test
sock.sendTCP(ap.getPayload())
# print FTP daemon response
print sock.recv(1024)
sock.close()

$
antiparser, FTP, $
() $
( ). $
FTP
, antiparser. $
apKeywords(). $
, , $
( , $
). $

373

$ .
apKeyword() $
. FTP$
$
, , , .
, setMode('incremental') setMaxSize(65536), $
,
65 336. $
,
$
ap.permute(). , $
.
, , .
, apKeywords(), antiparser, $
. $
, ap.getPayload(),
sock.sendTCP().
, antiparser . FTP$$
Python $
. $
, , $
antiparser $
.
, $
, , $
TLV. ,
,
, , (
2.0, 2005 ).

,
.

Dfuz1
Dfuz C; $
. $
, $
, Mi$
crosoft, Ipswitch RealNetworks.
, $
$ $
.

http://www.genexx.org/dfuz/

374

21.


. , $
, , $
( README). $
, ,
. Dfuz $
UNIX/Linux $
. $
, $
.
; $
.
, Dfuz, $
, , , , . $
,
$
. $
:
var my_variable = my_data
var ref_other = "1234",$my_variable,0x00

var,

$ ( Perl PHP). $
. , , $
antiparser, ,
.
Dfuz ,
. , $
, (%).
:
%attach() , Enter Return.
,
. , $
,
,
%attach() , $
.
%length() or %calc() $
. , %length("AAAA") $
0x04 . $
32 , $
8 %length:uint8() 16
%length:uint16().

375

%put:<size>(number) $
. ,
uint8, uint16 uint32 .
%random:<size>() $
. , %put(),
, uint8,
uint16 uint32 .
%random:data(<length>,<type>)
. ,
. , $
; ASCII, $
, .
%dec2str(num) $
. , %dec2str(123) 123.
%fry() .
"AAAA",%fry(), , , $
AAAA
.
%str2bin() $
. ,
4141, 41 41 41$41 AA.

. $

, , ,
. $
$
$. $
,
( . ):
var my_variable1 = "a string"
var my_variable2 = 0x41,|0xdeadbeef|,[Px50],[\x41*200],100

list,
, begin, , $
,
end. $
. :
list my_list:
begin
some_data
more_data
even_more_data
end

376

21.

, ,
, ($). $
, , Perl PHP,
$
: $my_list[1]. $
rand: $my_list[rand].
.
:
keep_connecting , $
;
big_endian $
( );
little_endian
( );
tcp , $
TCP;
udp , $
UDP;
client_side ,
, , ;
server_side ,
, , , $
;
use_stdout $
(), ,
.
stdout.
,
, Dfuz FTP,
POP3, Telnet SMB ( ).
, ftp:user(), ftp:pass(),
ftp:mkd(), pop3:user(), pop3:pass(), pop3:dele(), telnet:user(), telnet:
pass(), smb:setup() . . (. Dfuz $
).
$
. $
, $
( ) $
FTP$:
port=21/tcp
peer write: @ftp:user("user")
peer read
peer write: @ftp:pass("pass")


peer
peer
peer
peer
peer

377

read
write: "CWD /", %random:data(1024,alphanum), 0x0a
read
write: @ftp:quit()
read

repeat=1024
wait=1
# No Options

, $
TCP, 21.
, , . peer read
peer write , $
, .
FTP $
FTP.
(CWD) $
. CWD 1024 $
$ , $
(0x0a). , .
, repeat, , $
1024 . $
Dfuz $
FTP$, CED $
1024 $
.
Dfuz ,

. stdout ( $
)
, $
. Dfuz
, $
. , $
, . $
,
;
$
, $
. Dfuz $
, $
, , $
Peach. : $
. , Dfuz
$
, .

378

21.

SPIKE1
SPIKE , , $
. SPIKE C
,
. $
SPIKE ,
(GPL)2
GNU. $
SPIKEfile, $
,
(. 12 : $
UNIX). SPIKE
, , . $
,
SPIKE, ,
. $
$
. $
, ,
$
:3
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_block_end("somepacketdata");

SPIKE ( SPIKE C) $
somepacketdata ( $ $
), 0x01020304
.
4 $
. ,
SPIKE s_, spike_.
s_binary() $
$
,
, 4141 \x41
0x41 41 00 41 00. , $
SPIKE. SPIKE
, $

1
2
3

http://www.immunitysec.com/resources+freesoftware.shtml
http://www.gnu.org/copyleft/gpl.html
http://www.immunitysec.com/downloads/advantages_of_block_based_analy+
sis.pdf

379

. $
:
s_block_size_binary_bigendian_word("somepacketdata");
s_block_start("somepacketdata")
s_binary("01020304");
s_blocksize_halfword_bigendian("innerdata");
s_block_start("innerdata");
s_binary("00 01");
s_binary_bigendian_word_variable(0x02);
s_string_variable("SELECT");
s_block_end("innerdata");
s_block_end("somepacketdata");

somepacketdata innerdata ($
). , $
. in$
nerdata (0x0001),

0x02,
SELECT. s_bina
ry_bigendian_word_variable() s_string_variable() $

( ) ,
. $
SPIKE
, .
, SPIKE $

. $
SPIKE/src/spike.c.
2.9 , $
700 , .
, $
, , $
$
. $
.
SPIKE.
: $
FTP, SPIKE. $
SPIKE,
, :
s_string("HOST ");
s_string_variable("10.20.30.40");
s_string("\r\n");
s_string_variable("USER");

380

21.
s_string(" v);
s_string_variable("bob");
s_string("\r\n");
s_string("PASS ");
s_string_variable("bob");
s_string("\r\n");
s_string("SITE ");
s_string_variable("SEDV");
s_string("\r\n");
s_string("ACCT ");
s_string_variable("bob");
s_string("\r\n");
s_string("CWD ");
s_string_variable(".");
s_string("\r\n");
s_string("SMNT ");
s_string_variable(".");
s_string("\r\n");
s_string("PORT ");
s_string_variable("1");
s_string(",");
s_string_variable("2");
s_string(",");
s_string_variable("3");
s_string(",");
s_string_variable("4");
s_string(",");
s_string_variable("5");
s_string(",");
s_string_variable("6");
s_string("\r\n");

SPIKE , $
$
, . , $
,
, $
.
$
, SPIKE $
, $
, .
.
$
SPIKE $
Microsoft Windows, SPIKE $
UNIX, $

381

SPIKE Windows
Cygwin.1 , $
, $
, , $
.

. , $
,
.
SPIKE
, $
. SPIKE $
, proxy$, $
$$
. $
, SPIKE,
, . $
, , , $
: SPIKE
.

Peach2
Peach, IOACTIVE 2004 , $
, Py$
thon. Peach , $
.
Peach, , $
, $
. , ,
(peach, fuzz ?3).
,
, , , $
, .
$
.
. $
$
$
. , ,
, SMTP$. $
1
2
3

http://www.cygwin.com/
http://peachfuzz.sourceforge.net
Peach ,
fuzz . . .

382

21.

$
, .
$.
base64, gzip HTML. $
$
. ,
, URL,
gzip. $
$
. $

, $
.
(publishers) $
.
TCP.
$
.
Peach , $

. , , $
GIF. $
$
.
$
, , $
. Peach $
. , Script, $
, $
,
group.next() protocol.step().
, $
Peach, $
FTP $
:
from
from
from
from
from

Peach
Peach.Transformers
Peach.Generators
Peach.Protocols
Peach.Publishers

import
import
import
import
import

*
*
*
*
*

loginGroup = group.Group()
loginBlock = block.Block()
loginBlock.setGenerators((
static.Static("USER username\r\nPASS "),
dictionary.Dictionary(loginGroup, "dict.txt"),

383

static.Static("\r\nQUIT\r\n")
))
loginProt = null.NullStdout(ftp.BasicFtp('127.0.0.1', 21), loginBlock)
script.Script(loginProt, loginGroup, 0.25).go()

Peach.
. $
, . $
.
.
FTP
, . $
FTP.
, $
. ,
,
.
,
Peach. Peach $
, Autodafej Dfuz.
Peach , $
$
, , $
. , , $
$
, , ,
, $
. , gzip $
, $

, HTTP $
. Peach.
, .
Peach Python,
Python. , $
, $
Python, Microsoft COM1 Microsoft .NET, Peach
Active X $
. DLL
Microsoft Windows, Peach C/C++
, .
Peach , $
0.5
1

http://en.wikipedia.org/wiki/Component_Object_Model

384

21.

( 2006 ). Peach
, , , $
$
. $ $
, $
, .
Peach
. ,
Ruby Peach, $
.

1
(GPF, General Purpose Fuzzer)
Applied Security.
.2
GPF , $
GPL;
UNIX. , GPF $
; SPIKE, $
.
, ,
. $
GPF ,
, , $
. GPF $
, PureFuzz ( $
), Convert (), GPF ( ), Pattern
Fuzz ( ) SuperGPF.
PureFuzz ;
, /dev/urandom . $
, $
, $

. $
PureFuzz netcat /dev/urandom $
, PureFuzz $
, $
. , , PureFuzz $
,
, .

1
2

http://www.appliedsec.com/resources.html
general purpose fuzzer $
general protection fault.
. .

385

Convert GPF, libpcap, $


, Ethereal1 Wireshark2, GPF.

pcap (
) , .
GPF GPF
$
. , $
.
$
, $
. ,
.
Pattern Fuzz (PF) GPF,

. PF
ASCII $

. $
tokAids, C. ASCII
tokAid (normal_ascii), (,
DNS). tokAid $
$
.
SuperGPF GPF Perl,
, $
, , $
. SuperGPF GPF
, , $
. $
GPF $
. $
SuperGPF ASCII.
GPF,
FTP:
Source:S
Source:C
Source:S
Source:C
Source:S
Source:C
Source:S
1
2

Size:20 Data:220 (vsFTPd 1.1.3)


Size:12 Data:USER fuzzy
Size:34 Data:331 Please specify the password.
Size:12 Data:PASS wuzzy
Size:33 Data:230 Login successful. Have fun.
Size:6 Data:QUIT
Size:14 Data:221 Goodbye.

http://www.ethereal.com
http://www.wireshark.org

386

21.

GPF .
GPF, .

tokAids , $
SPIKE, , ,
. , $
$
:
GPF ftp.gpf client localhost 21 ? TCP 8973987234 100000 0 + 6 6 100 100 5000
43 finish 0 3 auto none G b

, GPF
. $
, , $
.
ASCII
. $
GPF ,


!
, PureFuzz GPF, $
,
, .
,
, BrightStor ARC$
serve Backup Computer Associates. 2005 $
, Microsoft
SQL Server1, $
. , , $
, 3168 $
, TCP 6070.

,
.
$
, PureFuzz, ,

.
1

http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=287

387

$

. $
22 .

Autodafe1
Autodafej : SPIKE $
,
. Autodafej
, GPL
GNU $
UNIX. SPIKE,
Autodafej .
Autodafej,
2 ,
Autodafej; SPIKE
:
string("dummy");
string_uni("dummy");
hex(0x0a 0a \x0a);
block_begin("block");
block_end("block");
block_size_b32("block");
block_size_l32("block");
block_size_b16("block");
block_size_l16("block");
block_size_8("block");
block_size_8("block");
block_size_hex_string("a");
block_size_dec_string("b");
block_crc32_b("block");
block_crc32_l("block");
send("block");
recv("block");
fuzz_string("dummy");
fuzz_string_uni("dummy");
fuzz_hex(0xff ff \xff);

/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*
/*

define a constant string */


define a constant unicode string */
define a hexadecimal constant value */
define the beginning of a block */
define the end of a block */
32 bits bigendian size of a block */
32 bits littleendian size of a block */
16 bits bigendian size of a block */
16 bits littleendian size of a block */
8 bits size of a block */
8 bits size of a block */
hexadecimal string size of a block
decimal string size of a block */
crc32 of a block in bigendian */
crc32 of a block in littleendian */
send the block */
receive the block */
fuzz the string "dummy" */
fuzz the unicode string "dummy" */
fuzz the hexadecimal value */

;
$
.
Autodafej $
$
,
1
2

http://autodafe.sourceforge.net
http://autodafe.sourceforge.net/docs/autodafe.pdf

388

21.

.

. Autodafej:
fuzz_string("GET");
string(" /");
fuzz_string("index.html");
string(" HTTP/1.1");
hex(0d 0a);

$ $
HTTP, $
. , Autodafej $
, 500 .
, ,
500 , 1000
. $
, , ,
. Autodafej $
$
. Autodafej ,
, ( ). $
$
,
,
.
Autodafej $
adbg. $
,
, FileFuzz (. 13
: Windows), Autodafej $
, $
. Autodafej
,
strcpy(), , fprintf(),
.
.
$
, , .
. $
, $
, . , $
, $
. $
,
. $
, , $

: Shockwave Flash

389

. $
,
,
.
Autodafej ,
. $
, PDML2AD, PDML (
), Ethereal
Wireshark Autodafej.
750 ,
,
$
. , PDML2AD
, $
hex(),
string() . . , TXT2AD
, Autodafej. $
, ADC Autodafej. ADC
Autodafej, $
,
.
Autodafej , $
, SPIKE. $
Autodafej SPIKE. $
, $
. ,
, Microsoft
Windows
. $
; $

, .

:
Shockwave Flash


. $, $
, http://www.fuzz+
ing.org. ,
. $
, , $
. ,

390

21.

, , ,
. $

.
,

, , $
.
$
$
. $
Mac$
romedia Shockwave Flash (SWF)1 Adobe
,
.
Shockwave Flash
, Flash Player $
. $
Microsoft Windows
Flash Player .
SWF $
, $
.
, $
2 $ $
http://www.fuzzing.org.
SWF $
. $, SWF

Adobe Macromedia
Flash (SWF) Flash Video (FLV).3 $
8$ . $
,
,
. $
$
, Adobe Macromedia. $
, SWF $
, $
,

1
2

http://www.macromedia.com/software/flash/about/
Tipping$
Point.
http://www.adobe.com/licensing/developer/

: Shockwave Flash

391

. SWF
, $
, . $

, $
, , .

SWF
$
SWF ,
. SWF ,
; $
:
[Header]
<magic>
<version>
<length>
<rect>
[nbits]
[xmin]
[xmax]
[ymin]
[ymax]
<framerate>
<framecount>
[FileAttributes Tag]
[Tag]
<header>
<data>
<datatypes>
<structs>
...
[Tag]
<header>
<data>
<datatypes>
<structs>
...
...
[ShowFrame Tag]
[End Tag]

:
magic SWF
FWS;
version , $
Flash, ;

392

21.

length ,
SWF ;
rect :
nbits ;
:
xmin, xmax, ymin ymax. $
,
Flash. ,
, , Flash,
1/20 .

rect
. nbits 3, rect
5 + 3 + 3 + 3 + 3 = 17 .
nbits 4, rect 5 + 4 + 4 +
4 + 4 = 21 .
.

SWF.
, $
Flash. , FileAttributes, $
8$ Flash; , $
. $, , SWF$
, . $
, ,
, $
. $, , Flash
Player SWF$ . $
SWF ,
: $
. : , ,
. ,
. Flash Player , $
ShowFrame, $
. SWF End.
,
2 , . $
.
63 , $
: [ $
] [ ] [].
, $
, : [$
] [111111] [$
] []. , $

: Shockwave Flash

393

SWF $
.
.
. ,
SWF, ( $
). , $

! .
, $
$
. , $
, $
, .
Python $
.
,
(), (), (), $
(), 8$, 16$, 32$
64$ . $
Sulley ( $
Sulley,
):
BIG_ENDIAN
= ">"
LITTLE_ENDIAN = "<"
class bit_field (object):
def __init__ (self, width, value=0, max_num=None):
assert(type(value) is int or long)
self.width
self.max_num
self.value
self.endian
self.static
self.s_index

=
=
=
=
=
=

width
max_num
value
LITTLE_ENDIAN
False
0

if self.max_num == None:
self.max_num = self.to_decimal("1" * width)
def flatten (self):

@rtype: Raw Bytes


@return: Raw byte representation

# pad the bit stream to the next byte boundary.


bit_stream = ""
if self.width % 8 == 0:
bit_stream += self.to_binary()

394

21.
else:
bit_stream = "0" * (8  (self.width % 8))
bit_stream += self.to_binary()
flattened = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
flattened += struct.pack("B", self.to_decimal(chunk))
# if necessary, convert the endianess of the raw bytes.
if self.endian == LITTLE_ENDIAN:
flattened = list(flattened)
flattened.reverse()
flattened = "".join(flattened)
return flattened
def to_binary (self, number=None, bit_count=None):

@type number:
Integer
@param number:
(Opt., def=self.value) Number to convert
@type bit_count: Integer
@param bit_count: (Opt., def=self.width) Width of bit string
@rtype: String
@return: Bit string

if number == None:
number = self.value
if bit_count == None:
bit_count = self.width
return "".join(map(lambda x:str((number >> x) & 1), \
range(bit_count 1, 1, 1)))
def to_decimal (self, binary):

Convert a binary string into a decimal number and return.

return int(binary, 2)
def randomize (self):

Randomize the value of this bitfield.

self.value = random.randint(0, self.max_num)


def smart (self):

Step the value of this bitfield through a list of smart values.

: Shockwave Flash

395

smart_cases = \
[
0,
self.max_num,
self.max_num / 2,
self.max_num / 4,
# etc...
]
self.value
= smart_cases[self.s_index]
self.s_index += 1
class byte (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "B", value)[0]
bit_field.__init__(self, 8, value, max_num)
class word (bit_field):
def __init__ (self, value=0, max_num=None:
if type(value) not in [int, long]:
value = struct.unpack(endian + "H", value)[0]
bit_field.__init__(self, 16, value, max_num)
class dword (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "L", value)[0]
bit_field.__init__(self, 32, value, max_num)
class qword (bit_field):
def __init__ (self, value=0, max_num=None):
if type(value) not in [int, long]:
value = struct.unpack(endian + "Q", value)[0]
bit_field.__init__(self, 64, value, max_num)
# class aliases
bits = bit_field
char = byte
short = word
long = dword
double = qword

bit_field (width), $
, (max_num),
(value), (endian), , ,
(static), , , $
(s_index). bit_field $
:

396

21.

flatten() $
.
to_binary() $
.
to_decimal() $
.
randomize()
.
smart() $
,
.

bit_field,$

. $

flatten() .
, $
SWF, RECT RGB.
, $
, ( , $
):
class RECT (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields
[
("Nbits",
("Xmin" ,
("Xmax" ,
("Ymin" ,
("Ymax" ,
]

= \
sulley.numbers.bits(5, value=31, static=True)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),
sulley.numbers.bits(31)),

class RGB (base):


def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields
[
("Red" ,
("Green",
("Blue" ,
]

= \
sulley.numbers.byte()),
sulley.numbers.byte()),
sulley.numbers.byte()),

,
. $

: Shockwave Flash

397

.
bit_field depen
dent_bit_field, :
class dependent_bit_field (sulley.numbers.bit_field):
def __init__ (self, width, value=0, max_num=None, static=False, \
parent=None, dep=None, vals=[]):
self.parent = parent
self.dep
= dep
self.vals = vals
sulley.numbers.bit_field.__init__(self, width, value, \
max_num, static)
def flatten (self):
# if there is a dependency for flattening (including) this
# structure, then check it.
if self.parent:
#
VVV  object value
if self.parent.fields[self.dep][1].value not in self.vals:
# dependency not met, dont include this object.
return ""
return sulley.numbers.bit_field.flatten(self)

,
.
, dep, $
vals, . MATRIX $
:
class MATRIX (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.fields = \
[
("HasScale"
("NScaleBits"
("ScaleX"
("ScaleY"
("HasRotate"

, sulley.numbers.bits(1)),
, dependent_bits(5, 31, parent=self, \
dep=0, vals=[1])),
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
, sulley.numbers.bits(1)),

("NRotateBits" , dependent_bits(5, 31, parent=self, \


dep=4, vals=[1])),
("skew1"
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),
("skew2"
, dependent_bits(31, parent=self, \
dep=0, vals=[1])),

398

21.
("NTranslateBits" , sulley.numbers.bits(5, value=31)),
("TranslateX"
, sulley.numbers.bits(31)),
("TranslateY"
, sulley.numbers.bits(31)),
]

, NScaleBits MATRIX
5 31,
,
0 (HasScale) 1. ScaleX, ScaleY, skew1 skew2
HasScale. , HasScale $
1, .
. , NRotateBits
4 (HasRotate). 200 $
SWF .1
, $
. $,
, :
class base (structs.base):
def __init__ (self, parent=None, dep=None, vals=[]):
self.tag_id = None
(structs.base).__init__(self, parent, dep, vals)
def flatten (self):
bit_stream = structs.base.flatten(self)
# pad the bit stream to the next byte boundary.
if len(bit_stream) % 8 != 0:
bit_stream = "0" * (8(len(bit_stream)%8)) + bit_stream
raw = ""
# convert the bit stream from a string of bits into raw bytes.
for i in xrange(len(bit_stream) / 8):
chunk = bit_stream[8*i:8*i+8]
raw += pack("B", self.to_decimal(chunk))
raw_length = len(raw)
if raw_length >= 63:
# long (record header is a word + dword)
record_header = self.tag_id
record_header <<= 6
record_header |= 0x3f
flattened = pack('H', record_header)
record_header <<= 32
record_header |= raw_length
flattened += pack('Q', record_header)
flattened += raw

. http://www.fuzzing.org for the code.

: Shockwave Flash

399

else:
# short (record_header is a word)
record_header = self.tag_id
record_header <<= 6
record_header |= raw_length
flattened = pack('H', record_header)
flattened += raw
return flattened

flatten()
$
. 50 $
SWF .
:
class PlaceObject (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.tag_id = 4
self.fields = \
[
("CharacterId"
("Depth"
("Matrix"
("ColorTransform"
]

,
,
,
,

sulley.numbers.word(value=0x01)),
sulley.numbers.word()),
structs.MATRIX()),
structs.CXFORM()),

class DefineBitsLossless (base):


def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.tag_id = 20
self.fields = \
[
("CharacterId"
("BitmapFormat"
("BitmapWidth"
("BitmapHeight"
("BitmapColorTableSize"
("ZlibBitmapData"
("ZlibBitMapData_a"

,
,
,
,
,

sulley.numbers.word()),
sulley.numbers.byte()),
sulley.numbers.word()),
sulley.numbers.word()),
structs.dependent_byte( \
parent=self, dep=1, vals=[3])),
, structs.COLORMAPDATA( \
parent=self, dep=1, vals=[3])),
, structs.BITMAPDATA( \
parent=self, dep=1, vals=[4, 5])),

]
class DefineMorphShape (base):
def __init__ (self, *args, **kwargs):
base.__init__(self, *args, **kwargs)
self.tag_id = 46

400

21.
self.fields = \
[
("CharacterId"
("StartBounds"
("EndBounds"
("Offset"
("MorphFillStyles"
("MorphLineStyles"
("StartEdges"
("EndEdges"
]

,
,
,
,
,
,
,
,

sulley.numbers.word()),
structs.RECT()),
structs.RECT()),
sulley.numbers.word()),
structs.MORPHFILLSTYLE()),
structs.MORPHLINESTYLES()),
structs.SHAPE()),
structs.SHAPE()),


. SWF,
bit_field. $
, , . bit_field
dependent_bit_field, , ,
.
SWF. $
, $
SWF.
. 21.1.
, $
, SWF.
.
, $

byte, word, . .

bit_field

dependent_byte, . .

dependent_bit_field

base

base

. 21.1. SWF

: Shockwave Flash

401

SWF . $

randomize()
smart() . , $

flat
ten().
.


$
SWF, . $
SWF , $
. $

, .
$
, .
Google SOAP1, SWF$ ,
filetype:swf ( :swf). $
a filetype:swf, b filetype:swf
z filetype:swf. ,
SWF. $
MD5, $
.
10 000 SWF$,
3 . SWF
, $
. 21.1.
21.1.
Flash+ SWF
SWF

Flash 8

< 1%

Flash 7

~ 2%

Flash 6

~ 11%

Flash 5

~ 55%

Flash 4

~ 28%

Flash 1 Flash 3

~ 3%

http://www.google.com/apis/index.html

402

21.

. ,
$
Flash Player. , $
, $
.
SWF.


PaiMei1
.
PaiMei Python, $

.
23. $
, PaiMei FileFuzz.
:
1. SWF Flash Player
PaiMei, PyDbg.
2. $
. ; $
,
SWF, .
3. ,

.
4. $
, Flash Player.
5. .
$
SWF 0x000C $
0xFFFF. , SWF $
,
. $
SWF $, Microsoft Internet Exp$
lorer Mozilla Firefox. , $
, ,
ActionScript2, $
SAFlashPlayer.exe. $
Macromedia Studio.3

1
2
3

http://openrce.org/downloads/details/208/PaiMei
http://en.wikipedia.org/wiki/ActionScript
http://www.adobe.com/products/studio/

Sulley:

403


SWF $
.
.
$
SWF ,
. $
,
SWF,
SWF SWF. $
, SWF $
$ $
.

SWF .
$
.
, $
.

Sulley:
Sulley $
, $
. Sulley ( )

, . $
, $
. Sulley
Monsters, Inc. ( )1,
, .2 Sulley
$ http://www.fuzzing.org/sulley.
, , $
. Sulley
,
, $
. Sulley $
. Sulley
, $
. Sulley ,
1
2

http://www.pixar.com/featurefilms/inc/chars_pop1.html
. fuzzy , $
fuzz, .
. .

404

21.

. Sulley $
, . Sulley $
,
. Sulley
$
. , Sulley :
1. : $
. , , $
.
Sulley.
2. : ,
; $
Sulley (, , . .)
.
3. : $
. .
Sulley http://
www.fuzzing.org, . $
, , $
.

Sulley
Sulley , . $
, ,
, $
. ,
:
archived_fuzzies: ,
, $
, :
trend_server_protect_5168: $
.
trillian_jabber: , $
.
audits:
PCAP, , . $

archived_fuzzies.
docs:
Epydoc.
requests: Sulley. $
,
.

Sulley:

405

__REQUESTS__.html: $
. $
.
http.py: $.
trend.py: , $
, .
sulley: . $
.
legos: , .
ber.py: ASN.1/BER.
dcerpc.py: Microsoft RPC NDR.
misc.py: ,
.
xdr.py: XDR.
pgraph: Python.
.
utils: .
dcerpc.py: Microsoft RPC, $
.
misc.py: , $
CRC$16 UUID.
scada.py: ,
SCADA, DNP3.
__init__.py: s_, $
.
blocks.py: $
.
pedrpc.py: , $
Sulley $
.
primitives.py: ,
, , .
sessions.py:
.
sex.py: $
Sulley.
unit_tests: Sulley.
utils: .
crashbin_explorer.py: ,
, $
.

406

21.

pcap_cleaner.py: ,
PCAP , $
.
network_monitor.py: ,
PedRPC.
process_monitor.py: $
, PedRPC.
unit_test.py: Sulley.
vmcontrol.py: , VMWare,
PedRPC.

, ,
, Sulley .
.


SPIKE .
, , $
$
,
. Sulley $
,
. :
s_initialize("new request")

,
.
. $
. $
. $
, $
. , $
,
, , .


, s_static(),
.
Sulley $
. s_dunno(), s_raw() s_unknown() s_static():
# these are all equivalent:
s_static("pedram\x00was\x01here\x02")
s_raw("pedram\x00was\x01here\x02")
s_dunno("pedram\x00was\x01here\x02")
s_unknown("pedram\x00was\x01here\x02")

Sulley:

407

, . . $
. $

request.names["name"] ,
, . $
,
s_binary(), , $
. SPIKE, , $
, (, $
, ) , $
:
# yeah, it can handle all these formats.
s_binary("0xde 0xad be ef \xca fe 00 01 02 0xba0xdd f0 0d")

Sulley
, , .
s_random(),
.
, 'min_length'
'max_length',
,
, . $
:
num_mutations ( , 25): , $
,
;
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
num_mutations ,
,
. $
, $
'min_length' 'max_length'.


ASCII
, , HTTP.
, Sulley $
:
: s_byte(), s_char();
: s_word(), s_short();

408

21.

: s_dword(), s_long(), s_int();


: s_qword(), s_double().

,
. $
:
endian (, <): $
. <, >;
format (, binary): ,
ascii, , $
. , 100 $
100 ASCII \x64 ;
signed (, False):
, ascii;
full_range (, False):
(
);
fuzzable (, True):
;
name (, None): ,
Sulley,
$
.
full_range
. ,
DWORD; 4 294 967 295 .
, 10
, , $
, 13 !
Sulley
. 10 $
; (MAX_VAL); MAX_VAL,
2; MAX_VAL, 3; MAX_VAL, $
4; MAX_VAL, 8; MAX_VAL, 16,
MAX_VAL, 32. $
141
.


. , $
, , . $
, , .
Sulley s_string(),
. , $

Sulley:

409

. $
:
Size ( , 1): $
.
1;
padding (, \x00):
, $
, ;
encoding (, ascii): $
. ,
str.encode() Python. Microsoft Unicode
utf_16_le;
fuzzable (, True):
;
name (string, default None): , $
Sulley,
.
.
, ,
HTTP: GET /index.html HTTP/1.0. (/)
(.) . $
Sulley , $
s_delim(). , $
, $
. $
, s_delim()
'fuzzable' 'name'. ,
. $
,
HTML.
# fuzzes the string: <BODY bgcolor="black">
s_delim("<")
s_string("BODY")
s_delim(" ")
s_string("bgcolor")
s_delim("=")
s_delim("\"")
s_string("black")
s_delim("\"")
s_delim(">")

, , $
.
s_block_start(),

410

21.

s_block_end(). ,
s_block_start().
:
group (, None): , $
( );
encoder ( , None): $
,
;
dep (, None): ,
;
dep_value (, None): ,
dep, $
;
dep_values ( , []): ,
dep, $
;
dep_compare (, ==): , $
. $
: ==, !=, >, >=, <, and <=.
, $
, ; $
.

$
, ,
. $
, ,
$
. s_group()
. ,
,
. $
Sulley, $
$.
# import all of Sulleys functionality.
from sulley import *
# this request is for fuzzing: {GET,HEAD,POST,TRACE} /index.html HTTP/1.1
# define a new block named "HTTP BASIC".
s_initialize("HTTP BASIC")
# define a group primitive listing the various HTTP verbs we wish to fuzz.
s_group("verbs", values=["GET", "HEAD", "POST", "TRACE"])

Sulley:

411

# define a new block named "body" and associate with the above group.
if s_block_start("body", group="verbs"):
# break the remainder of the HTTP request into
individual primitives.
s_delim(" ")
s_delim("/")
s_string("index.html")
s_delim(" ")
s_string("HTTP")
s_delim("/")
s_string("1")
s_delim(".")
s_string("1")
# end the request with the mandatory static sequence.
s_static("\r\n\r\n")
# close the open block, the name argument is optional here.
s_block_end("body")

Sulley. $
HTTP BASIC.

.
GET, HEAD, POST TRACE.
$

. , s_block_start()
True,
, $
. , s_block_end()
.
. $
$
, .
Sulley, $
, , $
.

, . $
, $

. $
. DcsProces$
sor.exe Trend Micro Control Manager
TCP 20901 , $
XOR. $
$
XOR:

412

21.
def trend_xor_encode (str):
key = 0xA8534344
ret = ""
# pad to 4 byte boundary.
pad = 4  (len(str) % 4)
if pad == 4:
pad = 0
str += "\x00" * pad
while str:
dword =
str
=
dword ^=
ret +=
key
=

struct.unpack("<L", str[:4])[0]
str[4:]
key
struct.pack("<L", dword)
dword

return ret

Sulley , $
, . $
, $
, , $
,
.

$
. , $
, ,
dep. $
Sulley ,
$
. $
dep_value. $
dep_values. , $

dep_compare. , $
, $
:
s_short("opcode", full_range=True)
# opcode 10 expects an authentication sequence.
if s_block_start("auth", dep="opcode", dep_value=10):
s_string("USER")
s_delim(" ")
s_string("pedram")
s_static("\r\n")
s_string("PASS")

Sulley:

413

s_delim(" ")
s_delim("fuzzywuzzy")
s_block_end()
# opcodes 15 and 16 expect a single string hostname.
if s_block_start("hostname", dep="opcode", dep_values=[15, 16]):
s_string("pedram.openrce.org")
s_block_end()
# the rest of the opcodes take a string prefixed with two underscores.
if s_block_start("something", dep="opcode", dep_values=[10, 15, 16],
dep_compare="!="):
s_static("__")
s_string("some string")
s_block_end()


(, , ) .


, $
, Sulley, .
, .

SPIKE s_sizer()
( s_size()). ,
, $
:
length ( , 4): ;
endian (, <): .
< > ;
format (, binary): , $
ascii, , $
;
inclusive (, False):
?
signed (, False):
, ascii;
fuzzable (, False):
;
name (, None): ,
Sulley,
$
.
, $
$

414

21.

, XDR, ASN.1 . . Sulley $


.
Sulley .
; , $
, fuzzable.

, , s_checksum() $
.

:
algorithm ( , crc32):
,
(crc32, adler32, md5, sha1);
endian (, <): .
< > ;
length ( , 0): ,
0 ;
name (, None): ,
Sulley,
$
.
:
crc32, adler32, md5 sha1.
, $
.

s_repeat() ( s_repeater()) $
. , , $
$
. $
: , , $
.
, :
step (integer, default=1): $
;
fuzzable (boolean, default, False): $
;
name (, None): ,
Sulley,
$
.

Sulley:

415

,
.
, . $
, ,
, , CRC$32, $
.
, $
. , $
Sulley:
# table entry: [type][len][string][checksum]
if s_block_start("table entry"):
# we dont know what the valid types are, so well fill
this in with random data.
s_random("\x00\x00", 2, 2)
# next, we insert a sizer of length 2 for the string field to follow.
s_size("string field", length=2)
# block helpers only apply to blocks, so encapsulate the string
# primitive in one.
if s_block_start("string field"):
# the default string will simply be a short sequence of Cs.
s_string("C" * 10)
s_block_end()
# append the CRC32 checksum of the string to the table entry.
s_checksum("string field")
s_block_end()
# repeat the table entry from 100 to 1,000 reps stepping 50 elements
# on each iteration.
s_repeat("table entry", min_reps=100, max_reps=1000, step=50)

Sulley
,
.


Sulley
, ,
, Microsoft RPC,
XDR, ASN.1 . ASN.1 / BER $
[0x04][0x84][ ][]. $
ASN.1$ $
.
:
s_lego("ber_string", "anonymous")

, $
options,

416

21.

. $
tag,
XML:
class tag (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.tag DEFAULT VALUE")
#
# [delim][string][delim]
self.push(primitives.delim("<"))
self.push(primitives.string(self.value))
self.push(primitives.delim(">"))

, , $
$
.

self.push().

ASN.1 / BER1 Sulley.
$
, $
: [0x02][0x04][ ], 0x02 $
, 0x04 ,
, $
. , sul$
ley\legos\ber.py:
class integer (blocks.block):
def __init__ (self, name, request, value, options={}):
blocks.block.__init__(self, name, request, None, None, None, None)
self.value = value
self.options = options
if not self.value:
raise sex.error("MISSING LEGO.ber_integer DEFAULT VALUE")
self.push(primitives.dword(self.value, endian=">"))
def render (self):
# let the parent do the initial render.

http://luca.ntop.org/Teaching/Appunti/asn1.html

417

Sulley:
blocks.block.render(self)
self.rendered = "\x02\x04" + self.rendered
return self.rendered

, $
self.push(). , $
render() , $
\x02\x04,
, $
. Sulley . $
,
,
. .

,
. Sulley
$
. $
. $
, pgraph,
, $
uDraw, . 21.2:

ROOT_NODE

helo

ehlo

mail from

rcpt to

data

. 21.2. SMTP+

418

21.
from sulley import *
s_initialize("helo")
s_static("helo")
s_initialize("ehlo")
s_static("ehlo")
s_initialize("mail from")
s_static("mail from")
s_initialize("rcpt to")
s_static("rcpt to")
s_initialize("data")
s_static("data")
sess = sessions.session()
sess.connect(s_get("helo"))
sess.connect(s_get("ehlo"))
sess.connect(s_get("helo"), s_get("mail from"))
sess.connect(s_get("ehlo"), s_get("mail from"))
sess.connect(s_get("mail from"), s_get("rcpt to"))
sess.connect(s_get("rcpt to"), s_get("data"))
fh = open("session_test.udg", "w+")
fh.write(sess.render_graph_udraw())
fh.close()

, Sulley $
: , $
, .
helo. Sulley $
mail from, $
helo. Sulley $
rcpt to.
helo
mail from. data
ehlo. Sulley $
$
. , $
, , Ipswitch Collaboration
Suite 2006 .1
,
, @ :. $
,
EHLO, HELO.
, $
.

http://www.zerodayinitiative.com/advisories/ZDI+06+028.html

Sulley:

419


:
session_filename (, None): ,
.
, $
;
skip ( , .0): $
, ;
sleep_time ( , 1.0): , $
;
log_level (integer, default 2):
$; , $
;
proto (, tcp): ;
timeout ( , 5.0):
send() recv() .
, Sulley, $

.
$
, , , . $
:
def callback(node, edge, last_recv, sock)

node , , edge
$
node, last_recv , $
, sock . $
, , , $
. :
IP$ , , $
IP sock.getpeername()[0].
$
callback session.connect().


, $
. ,
,
VMWare, :
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)

420

21.
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :
}

= \
"SpntSvc.exe",
[net stop "trend serverprotect"],
[net start "trend serverprotect"],

sess.add_target(target)
sess.fuzz()

TCP 5168 10.0.0.1.


() ,
26001.
PCAP
$ . $
, $
26002.
, , $
,
. ,
VMWare,
26003. , .
Sulley ,
.
, $
.
.
: (network_monitor.py)
$
PCAP . $
TCP 26001
Sulley PedRPC.
, Sulley $
, $
. $
, Sulley $
, ,
PCAP .
PCAP .
, $
. $
.
:
ERR> USAGE: network_monitor.py
<d|device DEVICE #>
device to sniff on (see list below)
[f|filter PCAP FILTER] BPF filter string
[p|log_path PATH] log directory to store pcaps to

Sulley:

421

[l|log_level LEVEL] log level (default 1), increase


for more verbosity
Network Device List:
[0] \Device\NPF_GenericDialupAdapter
[1] {2D938150427D445F93D6A913B4EA20C0} 192.168.181.1
[2] {9AF9AAECC36246429A3F0768CDA60942} 0.0.0.0
[3] {9ADCDA98A452495694080968ACC1F482}
192.168.81.193
...

: (process_monitor.py)
,

. $
TCP 26002 Sulley
PedRPC.
Sulley
, $
, $ . ,
, , $
Sulley $$
( ). $
$
. $
.
:
ERR> USAGE: process_monitor.py
<c|crash_bin FILENAME> filename to serialize crash bin class to
[p|proc_name NAME]
process name to search for and attach to
[i|ignore_pid PID]
ignore this PID when searching for
the target process
[l|log_level LEVEL]
log level (default 1), increase for
more verbosity

: VMWare (vmcontrol.py)
VMWare $
TCP 26003 Sulley
PedRPC. $
$
; , ,
, , $
.
, , Sulley
$
.

$

422

21.

,
.
:
ERR> USAGE: vmcontrol.py
<x|vmx FILENAME>
<r|vmrun FILENAME>
[s|snapshot NAME>
[l|log_level LEVEL]

path to VMX to control


path to vmrun.exe
set the snapshot name
log level (default 1), increase for more verbosity


Sulley $,
26000.
fuzz() $ $
, , $
. . 21.3 , $
.

. $

. $
, $
. , , $
; $
.
.

. 21.3. + Sulley

Sulley
. $
$

Sulley:

423

, ,
. $
, .
crashbin_explorer.py, $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg

, , $
, , , , $
, $
. $
, Trillian
Jabber, :
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin
[3] ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused
access violation 1415, 1416, 1417,
[2] ntdll.dll:7c910e03 mov [edx],eax from thread 664 caused
access violation 3780, 9215,
[24] rendezvous.dll:4900c4f1 rep movsd from thread 664 caused
access violation 1418, 1419, 1420, 1421, 1422, 1423, 1424,
1425, 3443, 3781, 3782, 3783, 3784, 3785, 3786, 3787, 9216,
9217, 9218, 9219, 9220, 9221, 9222, 9223,
[1] ntdll.dll:7c911639 mov cl,[eax+0x5] from thread 664 caused
access violation 3442,


, . $
,
t.
1416:
$ ./utils/crashbin_explorer.py audits/trillian_jabber.crashbin t 1416
ntdll.dll:7c910f29 mov ecx,[ecx] from thread 664 caused access violation
when attempting to read from 0x263b7467
CONTEXT DUMP
EIP: 7c910f29 mov ecx,[ecx]
EAX: 039a0318 ( 60424984) > gt;&gt;&gt;...&gt;&gt;&gt;&gt;&gt;
(heap)
EBX: 02f40000 ( 49545216) >
PP@ (heap)
ECX: 263b7467 ( 641430631) > N/A
EDX: 263b7467 ( 641430631) > N/A
EDI: 0399fed0 ( 60423888) > #e<root><message>&gt;&gt;&gt;
...&gt;&gt;& (heap)
ESI: 039a0310 ( 60424976) > gt;&gt;&gt;...&gt;&gt;&gt;&gt;&gt;
(heap)

424

21.
EBP: 03989c38 ( 60333112) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
P (stack)
ESP: 03989c2c ( 60333100) > \|gt;&t]IPIx;IXIox@ @x@PP8|p|Hg9I
(stack)
+00: 02f40000 ( 49545216) >
PP@ (heap)
+04: 0399fed0 ( 60423888) > #e<root><message>&gt;&gt;&gt;
...&gt;&gt;& (heap)
+08: 00000000 (
0) > N/A
+0c: 03989d0c ( 60333324) > Hg9I Pt]I@"ImI,IIpHsoIPnIX{ (stack)
+10: 7c910d5c (2089880924) > N/A
+14: 02f40000 ( 49545216) >
PP@ (heap)
disasm around:
0x7c910f18 jnz 0x7c910fb0
0x7c910f1e mov ecx,[esi+0xc]
0x7c910f21 lea eax,[esi+0x8]
0x7c910f24 mov edx,[eax]
0x7c910f26 mov [ebp+0xc],ecx
0x7c910f29 mov ecx,[ecx]
0x7c910f2b cmp ecx,[edx+0x4]
0x7c910f2e mov [ebp+0x14],edx
0x7c910f31 jnz 0x7c911f21
stack unwind:
ntdll.dll:7c910d5c
rendezvous.dll:49023967
rendezvous.dll:4900c56d
kernel32.dll:7c80b50b
SEH unwind:
03989d38 > ntdll.dll:7c90ee18
0398ffdc > rendezvous.dll:49025d74
ffffffff > kernel32.dll:7c8399f3

,
, ,
ECX, , $
ASCII &;tg. , ?
, $
, $
g.
. 21.4 Trillian
Jabber.
, , ,
, , , . $
. $

XMPP (
). Trillian $
_presence mDNS (
DNS) UDP 5353. $
mDNS,

425

Sulley:

[30] kernel32.d11:7c80b50b

[5] rendevous.d11.4900c56d

[24] rendevous.d11.4900c4f1

[1] rendevous.d11.49023afd

[5] rendevous.d11.49023967

[3] ntd11.d11:7c910d5c

[1] rendevous.d11.49023b1f

[2] ntd11.d11:7c910e03

[1] ntd11.7c911639

[3] ntd11.d11:7c910f29

. 21.4. , Sulley

XMP TCP 5298. plugins\rendezvous.dll $


:
4900C470 str_len:
4900C470
mov cl, [eax]
; *eax = message+1
4900C472
inc eax
4900C473
test cl, cl
4900C475
jnz short str_len
4900C477
4900C479
4900C47E
4900C47F

sub eax, edx


add eax, 128
push eax
call _malloc

; strlen(message+1) + 128

,
, +128, $
, expatxml.xmlCompos
eString(), :
plugin_send(MYGUID, "xmlComposeString", struct xml_string_t *);
struct xml_string_t {
unsigned int struct_size;
char *string_buffer;
struct xml_tree_t *xml_tree;
};

xmlComposeString() expatxml.
19002420(), HTML &, > < &, > < $
.
:

426

21.
19002492
19002494
19002496
1900249B
190024A0
190024A1

push
push
push
push
push
call

0
0
offset str_Amp
offset ampersand
eax
sub_190023A0

; "&amp;"
; "&"

190024A6
190024A8
190024AA
190024AF
190024B4
190024B5

push
push
push
push
push
call

0
0
offset str_Lt
offset less_than
eax
sub_190023A0

; "&lt;"
; "<"

190024BA
190024BC
190024BE
190024C3
190024C8
190024C9

push
push
push
push
push
call

offset str_Gt
; "&gt;"
offset greater_than ; ">"
eax
sub_190023A0


,
rendez$
vous.dll ,
:
4900C4EC
4900C4EE
4900C4F1
4900C4F3
4900C4F5
4900C4F8

mov
shr
rep
mov
and
rep

ecx, eax
ecx, 2
movsd
ecx, eax
ecx, 3
movsb

, Sulley, $
. $
, $
. ,
, PCAP, $
, . pcap_cleaner.py
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>

,
, $
, PCAP $
. ,
,
.

Sulley:

427


, $
Sulley; ,
. ,
, $
, $
Sulley. $
Trend Micro Server Protect, ,
Microsoft DCE/RPC TCP 5168,
SpntSvc.exe. RPC
TmRpcSrv.dll, $
, IDL ( ):
// opcode: 0x00, address: 0x65741030
// uuid: 25288888bd5b11d19d530080c83a5c2c
// version: 1.0
error_status_t rpc_opnum_0 (
[in] handle_t arg_1,
// not sent on wire
[in] long trend_req_num,
[in][size_is(arg_4)] byte some_string[],
[in] long arg_4,
[out][size_is(arg_6)] byte arg_5[],
// not sent on wire
[in] long arg_6
);

arg_1 arg_6
. , $
.
, trend_req_num $
. ,
$
RPC.
:
0x0001,
1
21;
0x0002,
1
18;
0x0003,
1
84;
0x0005,
1
24;

428

21.

0x000A,

1 48;
0x001F,
1
21.

$
,
DCE/RPC.
, .
utisl.dcerpc.request() , $

, :
# dce rpc request encoder used for trend server protect 5168 RPC service.
# opnum is always zero.
def rpc_request_encoder (data):
return utils.dcerpc.request(0, data)


$
, Sulley.
requests\trend.py, $
, Trend, $
. $
(
), Python
$
trend_req_num:
for op, submax in [(0x1, 22), (0x2, 19), (0x3, 85), (0x5, 25), (0xa, 49),
(0x1f, 25)]:
s_initialize("5168: op%x" % op)
if s_block_start("everything", encoder=rpc_request_encoder):
# [in] long trend_req_num,
s_group("subs", values=map(chr, range(1, submax)))
s_static("\x00")
# subs is actually a little endian word
s_static(struct.pack("<H", op)) # opcode
# [in][size_is(arg_4)] byte some_string[],
s_size("some_string")
if s_block_start("some_string", group="subs"):
s_static("A" * 0x5000, name="arg3")
s_block_end()
# [in] long arg_4,
s_size("some_string")
# [in] long arg_6

Sulley:

429

s_static(struct.pack("<L", 0x5000)) # output buffer size


s_block_end()


.
s_group() $
subs,
trend_req_num, .
.
trend_req_num,
;
, . $
some_string NDR.
DCE/RPC NDR Sulley,
RPC , $
NDR . some_string.
,
. $
A ( 20 ). $
s_string(),
, Trend
, $
. ,
size_is arg_4. ,
$
. ,
.


Sulley , $
fuzz_trend_server_protect_5168.py.
archived_fuzzies, $
. Sulley $
Trend :
from sulley import *
from requests import trend

, $
DCE/RPC
.
, , . $
utils.dcerpc.bind(),
Sulley:
def rpc_bind (sock):
bind = utils.dcerpc.bind("25288888bd5b11d19d530080c83a5c2c", "1.0")
sock.send(bind)
utils.dcerpc.bind_ack(sock.recv(1000))

430

21.

$
. , $
Trend Server Protect, $
VMWare 10.0.0.1.
$
. ,
, $
:
sess = sessions.session(session_filename="audits/
trend_server_protect_5168.session")
target = sessions.target("10.0.0.1", 5168)
target.netmon
= pedrpc.client("10.0.0.1", 26001)
target.procmon = pedrpc.client("10.0.0.1", 26002)
target.vmcontrol = pedrpc.client("127.0.0.1", 26003)

VMWare, Sulley $
$
,
. VMWare ,
, Sulley
. $
stop_commands start_commands :
target.procmon_options
{
"proc_name"
:
"stop_commands" :
"start_commands" :

= \
"SpntSvc.exe",
['net stop "trend serverprotect"'],
['net start "trend serverprotect"'],

proc_name , $
; , $
, ,
.
VMWare, , Sulley $
, $
.
, , $
restart_target() VMWare. $
, $
, $
. , $
fuzz() :
# start up the target.
target.vmcontrol.restart_target()
print "virtual machine up and running"
sess.add_target(target)
sess.pre_send = rpc_bind

Sulley:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.connect(s_get("5168:
sess.fuzz()

431

op1"))
op2"))
op3"))
op5"))
opa"))
op1f"))


$
. $
$

:
network_monitor.py d 1 \
f "src or dst port 5168" \
p audits\trend_server_protect_5168
process_monitor.py c audits\trend_server_protect_5168.crashbin \
p SpntSvc.exe

, ,
Sulley, $
. BPF ( ) $
, ,
, . $
,
PCAP . $
$
, sulley ready and waiting
(sulley ).
VMWare VM$
Ware ( ). $
vmrun.exe, $
, , , ,
,
:
vmcontrol.py r "c:\\VMware\vmrun.exe"
x "v:\vmfarm\Trend\win_2000_pro.vmx"
snapshot "sulley ready and waiting"

, , !
, . fuzz_trend_server_protect_
5168.py $ http://127.0.0.1:26000
. ,
.

432

21.

221 $
, , 19 $
. crashbin_explorer.py, $
, :
$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin
[6] [INVALID]:41414141 Unable to disassemble at 41414141 from thread 568
caused access violation 42, 109, 156, 164, 170, 198,
[3] LogMaster.dll:63272106 push ebx from thread 568 caused
access violation 53, 56, 151,
[1] ntdll.dll:77fbb267 push dword [ebp+0xc] from thread 568 caused
access violation 195,
[1] Eng50.dll:6118954e rep movsd from thread 568 caused access violation
181,
[1] ntdll.dll:77facbbd push edi from thread 568 caused access violation
118,
[1] Eng50.dll:61187671 cmp word [eax],0x3b from thread 568 caused
access violation 116,
[1] [INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation 70,
[2] Eng50.dll:611896d1 rep movsd from thread 568 caused access violation
152, 182,
[1] StRpcSrv.dll:6567603c push esi from thread 568 caused
access violation 106,
[1] KERNEL32.dll:7c57993a cmp ax,[edi] from thread 568 caused
access violation 165,
[1] Eng50.dll:61182415 mov edx,[edi+0x20c] from thread 568 caused
access violation 50,

,
, , $
EIP, 0x41414141. 70 ,
,
Unicode ($, $
, , ). ,
,
,
. $
. $
:
$ ./utils/crashbin_explorer.py
USAGE: crashbin_explorer.py <xxx.crashbin>
[t|test #]
dump the crash synopsis for a specific
test case number
[g|graph name] generate a graph of all crash paths,
save to 'name'.udg

, , $
$
70:

Sulley:

433

$ ./utils/crashbin_explorer.py audits/trend_server_protect_5168.crashbin t 70
[INVALID]:0058002e Unable to disassemble at 0058002e from thread 568
caused access violation
when attempting to read from 0x0058002e
CONTEXT DUMP
EIP: 0058002e Unable to disassemble at 0058002e
EAX: 00000001 (
1) > N/A
EBX: 0259e118 ( 39444760) > A.....AAAAA (stack)
ECX: 00000000 (
0) > N/A
EDX: ffffffff (4294967295) > N/A
EDI: 00000000 (
0) > N/A
ESI: 0259e33e ( 39445310) > A.....AAAAA (stack)
EBP: 00000000 (
0) > N/A
ESP: 0259d594 ( 39441812) > LA.XLT.......MPT.MSG.OFT.PPS.RT (stack)
+00: 0041004c ( 4259916) > N/A
+04: 0058002e ( 5767214) > N/A
+08: 0054004c ( 5505100) > N/A
+0c: 0056002e ( 5636142) > N/A
+10: 00530042 ( 5439554) > N/A
+14: 004a002e ( 4849710) > N/A
disasm around:
0x0058002e Unable to disassemble
SEH unwind:
0259fc58 > StRpcSrv.dll:656784e3
0259fd70 > TmRpcSrv.dll:65741820
0259fda8 > TmRpcSrv.dll:65741820
0259ffdc > RPCRT4.dll:77d87000
ffffffff > KERNEL32.dll:7c5c216c

, $ , $
Unicode . $
PCAP .
. 21.5 Wireshark,
PCAP.

. 21.5. DCE/PRC Wireshark

434

21.

, , , ,
PCAP, ,
. pcap_cleaner.py $
:
$ ./utils/pcap_cleaner.py
USAGE: pcap_cleaner.py <xxx.crashbin> <path to pcaps>

,
, ,
PCAP .
, $
, Trend. $
:
TSRT$07$01. StCom$
mon.dll Trend Micro ServerProtect;
TSRT$07$02. eng50.dll
Trend Micro ServerProtect.
, $
.
.
,
s_string(), .


, ;
, .
$
, ,
.
, $
, , $
, $
. SWF Shock$
wave Flash Adobe Macromedia , $
$ ,
, ,

. , , ,
$
,
. , $

435

$
,
.
$
Sulley. $
,
$
. Sulley $
; $
. http://www.fuzzing.org
,
.

22

, .
$.,
$,
27 2000

$
. , $
, $
, $
. $

$. , $
.
$
$
.
$
.

?
$
,
,
. $
SMB$ Microsoft, , 1992

437

Samba.1 $
$ Samba
Windows$ SMB$$. $
$
?
.
, , ,
.
, HTTP, $
, RFC2 $
. $
. , , $
,
, , $
. $
Ipswitch I$Mail. 2006 $
Ipswitchs SMTP $
.3 $
$
, @ :. , $
, .

SAMBA
SAMBA 10 1992 ,
(Andrew Tridgell)
vmsnet.net$
works.desktop.pathworks newsgroup.4 $
UNIX$
PATHWORKS DOS.
nbserver, 1994 ,
Syntax Corp. , $
Samba.5 Sam$
ba $
$ .

1
2
3
4

http://www.samba.org
http://www.w3.org/Protocols/rfc2616/rfc2616.html
http://www.zerodayinitiative.com/advisories/ZDI+06+028.html
http://groups.google.com/group/vmsnet.networks.desktop.pathworks/msg/
7d939a9e7e419b9c
http://www.samba.org/samba/docs/10years.html

438

22.

,
Ipswitch $ ,
.
, ,
, .
, $
. ,
, , $
: $
. , $
$
. , $
. , HTTP, $
, . $
, , $
GET POST, HEAD, OPTIONS
TRACE .
?

. $
, . $
, $
, , $
$
.
$
,
, . ,
, $
, $ .
, , .
, , $
.
Wotsit.org, $
, .
, $
Wireshark Ethereal,
,
.
$
,
. $
, $
$
.

439


, ,
,
$
. ,
.


, , $
1 ,
ProxyFuzzer. $$
,
. 22.1.

. 22.1.

, ProxyFuzzer $
, $
. ,
2 ,
. ,
, . ,
, . 22.2.
, $
. 22.2,
, .
ProxyFuzzer
, $
,
. , $
,
1
2

Tipping Point.
IP
, .

440

22.

. 22.2.

(PCAP). , $

$
Matasanos Protocol Debugger (PDB).1
ProxyFuzzer $
, $
. ProxyFuzzer ,
;
,
ASCII . $
$
, .
. 22.3 .
, ProxyFuzzer ,
$
. , ()
, $
, .

. 22.3.
1

http://www.matasano.com/log/399/pdb+blackhat+talk+materials+as+promised/

441

ProxyFuzzer
ProxyFuzzer $
, .
, , $
( ) .
$ ProxyFuzzer

Computer Associates Brightstor.
$
, . $
$ TCP 6050

UnivAgent.exe.
igateway.exe
HTTP, TCP 5250. $
,
.
fprintf(), $ $
.
, $
; , $
ProxyFuzzer .

, $
. , , $
,
. $
, , $
, , . , $
$
, .


ProzyFuzzer.
$
.

.
, $
, . . $

442

22.

. $
.
, $
. ( TCP/IP$) $
IP$ . ,
, $
, ASCII.
, $
, ,
. 22.4, $
.

raw data

plaintext

delimited

char

binary

padded

static

TLV

XML

. 22.4.

,
SMB, , $
, , ,
, ,
.
,
(|):
|00 04|user|00 06|pedram|0a 0a 00 01|code rev 254|00 00 00 00 be ef|END
|00 04|user|00 04|cody|0a 0a 00 02|code rev 11|00 00 00 00 00 de ad|END
|00 04|user|00 05|aaron|0a 0a 00 03|code rev 31337|00 00 00 c0 1a|END

(, , ) $
$
. , $
.

443

IP$ (0a 0a 00 01 = $
IP 10.10.0.1). 4 ASCII$: , [user],
[pedram],[ code rev 254] END. $
, $,
$ , , . ,
( $
), IP$ . $
.
, ASCII$ , $
. .
, 10$ $
ASCII. , ENG,
. ,
ASCII . 0xbeef,
, $
. , $
, . , ,
,
:
;
;
IP$ ;
10$
;
$
;
ASCII .
$
. $
. $
,
. ,
, .


,
, $
. . $
runtime ( ,
), .
. $
$.
.
, , $

444

22.

. $
:
0040206C
00402072
00402079
0040207C
00402081
00402083
00402088

call ds:__imp__sscanf
mov eax, [esp+5DA4h+var_5CDC]
add esp, 0Ch
cmp eax, 3857106359
; string prefix check
jz short loc_40208D
push offset 'string'
; "access protocol error"
jmp loc_401D61

sscanf() API
. $
3857106359, , $
$
. $
.

.
.
$
PyDbg $
PaiMei.1
http://www.fuzzing.org.
,
.

, $
, , $
, , , $
, , $
, .2 ,
,
,
, , , . $
$
. $
?
$

. . $
:
1
2

http://openrce.org/downloads/details/208/PaiMei
http://en.wikipedia.org/wiki/Bioinformatics

445

: ACAT
TACAGGA.
: ACATTCCTACAGGA.

$
. $
; , 1 (Needleman Wun$
sch (NW)), 1970 2 (Saul Needle$
man) 3 (Christian Wunsch). NW$ $

.
, . .
.
,
2004
ToorCon4 , .
(Marshall Beddoe)
Python Protocol
Informatics (PI), , , ,
Wired.5 $
, . PI $
Mu Security6,
, , $
$ . ,
$ PI Packet Storm.7
PI $
$
. $
8 (SW), NW$
, PI $
, HTTP, ICMP SMB. $
, ,
PI, , $
.
$
. $
. SW$
1
2
3
4
5
6
7
8

http://en.wikipedia.org/wiki/Needleman+Wunsch_algorithm
http://en.wikipedia.org/wiki/Saul_Needleman
http://en.wikipedia.org/wiki/Christian_Wunsch
http://www.toorcon.org
http://www.wired.com/news/infostructure/0,1377,65191,00.html
http://www.musecurity.com
http://packetstormsecurity.org/sniffers/PI.tgz
http://en.wikipedia.org/wiki/Smith+Waterman

446

22.

, $
.
NW$ . $
.
, Percent Accepted Mutation (PAM) Blocks
Substitution Matrix (BLOSUM), PI $
, .
, ,
ASCII$ ASCII.
$
. PI , $
. $

NW, , $
,
(Unweighted Pairwise Mean by
Arithmetic Averages, UPGMA).
. $
.
ICMP1
PI. $
ICMP:
# tcpdump s 42 c 100 nl w icmp.dump icmp

PI:
# ./main.py g p ./icmp.dump
Protocol Informatics Prototype (v0.01 beta)
Written by Marshall Beddoe <mbeddoe@baselineresearch.net>
Copyright (c) 2004 Baseline Research
Found 100 unique sequences in '../dumps/icmp.out'
Creating distance matrix .. complete
Creating phylogenetic tree .. complete
Discovered 1 clusters using a weight of 1.00
Performing multiple alignment on cluster 1 .. complete
Output of cluster 1
0097 x08 x00 xad x4b x05 xbe x00 x60
0039 x08 x00 x30 x54 x05 xbe x00 x26
0026 x08 x00 xf7 xb2 x05 xbe x00 x19
0015 x08 x00 x01 xdb x05 xbe x00 x0e
0048 x08 x00 x4f xdf x05 xbe x00 x2f
0040 x08 x00 xf8 xa4 x05 xbe x00 x27
0077 x08 x00 xe8 x28 x05 xbe x00 x4c
0017 x08 x00 xe8 x6c x05 xbe x00 x10
0027 x08 x00 xc3 xa9 x05 xbe x00 x1a
0087 x08 x00 xdd xc1 x05 xbe x00 x56
1

http://en.wikipedia.org/wiki/Internet_Control_Message_Protocol

447

0081 x08 x00 x88 x42 x05 xbe x00 x50


0058 x08 x00 xb0 x42 x05 xbe x00 x39
0013 x08 x00 x3e x38 x05 xbe x00
0067 x08 x00 x99 x36 x05 xbe x00 x42
0055 x08 x00 x0f x56 x05 xbe x00 x36
0004 x08 x00 xe6 xda x05 xbe x00 x03
0028 x08 x00 x83 xd9 x05 xbe x00 x1b
0095 x08 x00 xc1 xd9 x05 xbe x00 x5e
0093 x08 x00 xb6 x05 xbe x00 x5c
[ output trimmed for sake of brevity ]
0010 x08 x00 xd1 xb6 x05 xbe x00
0024 x08 x00 x11 x8f x05 xbe x00 x17
0063 x08 x00 x11 x04 x05 xbe x00 x3e
0038 x08 x00 x37 x3b x05 xbe x00 x25
DT BBB ZZZ BBB BBB BBB BBB ZZZ AAA
MT 000 000 081 089 000 000 000 100
Ungapped Consensus:
CONS x08 x00 x3f x18 x05 xbe x00 ???
DT BBB ZZZ BBB BBB BBB BBB ZZZ AAA
MT 000 000 081 089 000 000 000 100
Step 3: Analyze Consensus Sequence
Pay attention to datatype composition and mutation rate.
Offset 0: Binary data, 0% mutation rate
Offset 1: Zeroed data, 0% mutation rate
Offset 2: Binary data, 81% mutation rate
Offset 3: Binary data, 89% mutation rate
Offset 4: Binary data, 0% mutation rate
Offset 5: Binary data, 0% mutation rate
Offset 6: Zeroed data, 0% mutation rate
Offset 7: ASCII data, 100% mutation rate

:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 1 byte ] [ 1 byte ]

:
[ 1 byte ] [ 1 byte ] [ 2 byte ] [ 2 byte ] [ 2 byte ]

$ $
ICMP$.
16$ . 100 $
, .
,
.
$
. $
, $
.1 PI $
, .
1

http://www.matasano.com/log/294/protocol+informatics/

448

22.


() $
, , . $
, $
.
, $
. ,
.
:
, ;
, $
;
, $
.
$
. , $
, $
10.
. $
, .

3 6 .
,
. $
, $
. :
1. .
2. ,
.
3. .
4. , $
.
,
() :
0100100000
1000001010
1110100111
0000001000

2
3
7
1

( )
, ( $
). 3 ,
6 :

449


1000001010
1110100111

3
7

100 + 0100111 > 1000100111


111 + 0001010 > 1110001010

1000001010
1110100111

3
7

100000 + 0111 > 1000000111


111010 + 1010 > 1110101010

(
). :
1000100111
1110001010
1000000111
1110101010

>
>
>
>

1010100111
1110000010
1000001111
1110101110

6
4
5
7

, , $
.
.
, $
$ .
, $
. , ,
.
, ,
$ .

$
(); $
BlackHat US 2006 .1 $
, Sidewinder,
. $
$, $
$ . $
. $

, API (, strcpy), $
. ,
Autodafej
, . $
(control$flow graph, CFG; $
2) ,
( recv) $
. . 22.5 CFG, $
. CFG
23 .

1
2

http://www.blackhat.com/html/bh+usa+06/bh+usa+06+speakers.html#Embleton
http://en.wikipedia.org/wiki/Context+free_grammar

450

22.

recv

strcpy

. 22.5. ,

$
, . . 22.6
CFG $
.
CFG. $
$
. ,
. . 22.7
CFG . $
.
CFU, .
, $
,
CFU . $
.
, ,
.
, . $
. $
,
, , $
.

451

recv

strcpy

. 22.6.

recv

strcpv

. 22.7.

452

22.

Sidewinder , $
$
. , $
,
. $, CFG
. ,
$
. $, $
CFG. CFG $
. ,
$
, TLV. ,
,
CRC.
, .
, Sidewinder

, ,
,
.

, $
$
. $
, , $
.
, . , $
, $
. $
http://www.fuzzing.org.

23

, , ,
+ ,
.
$.,
$ CNN,
30 2000

,
, $
.
. $
, $
. ,
.
, $
. ,
, , $
, $
.

?
,
. . .
. , $
IA$32/x86 (Complex In$

454

23.

struction Set Computer1 (CISC)), 500 ,


$
.
(Reduced Instruction Set Computer (RISC)) , , ,
SPARC, 200 .2
, CISC RISC, $
$,
, . .
, C C++. , ,
,
. $
. $
, $
.
Voice over IP (VoIP)
, ,
? , $
, , $

CISK RISC
CISC ( ) $
RISC ( ); $
1970 IBM.
, RISC$$
, CISC$

. $

$ $
, Apple Mac, $
PowerPC RISC.
, ,
x86$ , $
.3

1
2

http://www.intel.com/intelpress/chapter+scientific.pdf
,
. CISC $
, RISC.
http://www.openrce.org/blog/view/575

455

,
. $
,
.
, OllyDbg, $
, $
. , $
. $
, $ VoIP , $
,
.
$
;
$
, .
, , ,
.
$
, , +
. ,
.
, ,
, $.


, ,
, $
.
() .
, $
.
,
(. 23.1).
, . 23.1, , $
sub_ 8$ , $
. $
DataRescue Interactive Disassembler Pro (IDA Pro)1,

.
.

. . 23.1 $
1

http://www.datarescue.com

456

23.

sub_00000010()

sub_00000440()

_snprintf()

sub_00000220()

sub_00000110()

sub_00000AE0()

sub_00000550()

recv()

sub_00000330()

. 23.1.

; snprintf() recv().
, sub_00000110()
sub_00000330(), recv().

CFG
CFG$
. , $
. $
: ? $
,
, .
, :
;
;
.
:
;
.
.
, $
.
.

CFG
$
sub_00000010. [el] . 23.2
. $
+.
. 23.2.

457

00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h

00000025
jz 00000050
0000002B
mov eax, 0Ah
00000030
mov ebx, 0Ah

00000050
xor eax, eax
00000052
xor ebx, ebx

. 23.2. + sub_00000010

$ $
. , $
0x00000010,
0x00000025.
0x0000002B, 0x00000050,
. $
CFG, . 23.2, ,
. 23.3.

00000010 sub_00000010
00000010
push ebp
00000011
mov ebp, esp
00000013
sub esp, 128h

00000025
jz 00000050

0000002B
0000002B
00000030

mov eax, 0Ah


mov ebx, 0Ah

00000050
00000050
00000052

xor eax, eax


xor ebx, ebx

. 23.3. sub_00000010

458

23.

$
.
, , . .
,
. , $
.


$
. , $
, , ,
$
. , OllyDbg $
debug\trace into debug\trace over.
PyDbg,
20 : $
, :
1. .
2. , $
.
3. $
.
4.
.
, PyDbg $
50 Python. $
, $
; .
, , $
http://www.fuzzing.org.
, $
. $
.
, $
:
.

, .
, ,
$
.

459

, ,
;
?
,
. , $
.
, :
?
?
?
?
?
$
?

?
$
.
, $
. $
, .
$
IDA Pro. $
IDA. $
, ,
, .


, $ , :
? $
,
. $
, .
$
. $
PyDbg, :
1. .
2. .
3. .

460

23.

4. $
.
5. $
.
$
$
,
, OlltDbg. $
, ,
.

PyDbg
PyDbg, $
. $
. $

.
$
PyDbg $
. , $
sysenter. $
, Microsoft Win$
dows. sysenter,
, ,
(. . ).

. :
from pydbg import *
from pydbg.defines import *
# breakpoint handler.
def on_bp (dbg):
ea
= dbg.exception_address
disasm = dbg.disasm(ea)
# put every thread in single step mode.
if dbg.first_breakpoint:
for tid in dbg.enumerate_threads():
handle = dbg.open_thread(tid)
dbg.single_step(True, handle)
dbg.close_handle(handle)
print "%08x: %s" % (ea, disasm)
dbg.single_step(True)
return DBG_CONTINUE
# single step handler.

461

def on_ss (dbg):


ea
= dbg.exception_address
disasm = dbg.disasm(ea)
print "%08x: %s" % (ea, disasm)
# we cant single step into kernel space
# so set a breakpoint on the return and continue
if disasm == "sysenter":
ret_addr = dbg.get_arg(0)
dbg.bp_set(ret_addr)
else:
dbg.single_step(True)
return DBG_CONTINUE
# create thread handler.
def on_ct (dbg):
# put newly created threads in single step mode.
dbg.single_step(True)
return DBG_CONTINUE
dbg = pydbg()
dbg.set_callback(EXCEPTION_BREAKPOINT,
on_bp)
dbg.set_callback(EXCEPTION_SINGLE_STEP,
on_ss)
dbg.set_callback(CREATE_THREAD_DEBUG_EVENT, on_ct)
try:
dbg.attach(123)
dbg.debug_event_loop()
except pdx, x:
dbg.cleanup().detach()
print x.__str__()

, ,
, $
. $
, .
, $
. $
, . ,
,
.
,
, . $
$
. $
. $
,
.
.

462

23.

$
.
, $
, $
.
( ,
. .). , $
.


, , $

, :
?
?
?
$
?
$
, $
. ,
.


, Mi$
crosoft Outlook Express Network News
Transfer Protocol (NNTP)1, 14 2005 .
$
. $
Microsoft:
Outlook
Express, .
,
, +
. +
+
. , +
.
1

http://www.microsoft.com/technet/security/bulletin/MS05+030.mspx

463

, $
, , , IDS$
IPS$. , ,
Outlook Express NTTP$. $
, $ , $
Process Stalker.1
Process Stalker ; $

OpenRCE.2
, $
Outlook Express ,
, MSOE.DLL.
Process Stalker IDA Pro
4800 58 000 . $
, , . $
, , Process Stalker $
, Outlook
Express NTTP$. . $
, $
. $
, NTTP$
news:// URI$, Internet Explorer, $
$
Outlook Express, , $
, , $
, . NTTP$
,
. 23.4.

. 23.4.

1
2

http://www.openrce.org/downloads/details/171/Process_Stalker
https://www.openrce.org/articles/full_view/12

464

23.

,
. $
Process Stalker , $
GUI. NTTP$
Outlook Express. $
GUI
, $
NTTP$. $
91 . 1337 ,
, 747 .
58 000, , $
.
, $
,
26 . $
:
16$ .
!
$
( 1).


1PyDg, ,
$
PaiMei. PaiMei Python $
2. PaiMei $
, $
(
24 ). $
PAIMEIpstalker ( Pro$
cess Stalker, PStalker). ,
, , $
, $
. :

PyDbg: win23$, Python;


pGRAPH:
, ;

http://www.hbo.com/sopranos/
http://openrce.org/downloads/details/208/PaiMei

465

PIDA: pGRAPH , $
(DLL EXE), $
, $
. ,
.

PyDBG . $
PIDA . PIDA
, $
, . :
import pida
module = pida.load("target.exe.pida")
# step through each function in the module.
for func module.functions.values():
print "%08x  %s" % (func.ea_start, func.name)
# step through each basic block in the function.
for bb in func.basic_blocks.values():
print "\t%08x" % bb.ea_start
# step through each instruction in the
# basic block.
for ins in bb.instructions.values():
print "\t\t%08x %s" % (ins.ea, ins.disasm)


PIDA$ .
, .
, $
. $
, ,
PyDbg PIDA $
. PaiMei $
:

: $
. process_stalker.py, ,
$
;

: WxPython $
GUI$.
pstalker;

. $
pida_dump.py IDA$, Python. $
IDA Pro .PIDA.

PStalker $
WxPython GUI , , $

466

23.

PaiMei. $
$
.

PStalker Layout
PStalker , $
PaiMei. PStalker
(. 23.5) .

. 23.5. PaiMei PStalker

Data Source
, $
PIDA. Data Exploration
. Data Capture .
:
, .
, $
.
.
PIDA .DLL$ .EXE$, $
.
.

$
.

467


.
.
,
PStalker .
$
.

PaiMei, 1, , $
PStalker.
, .


MySQL$ Con'
nections Retrieve Target List
. $
.
Available Targets. , $
.
:
Load hits. $
.
Append hits. ,
, .
Export to IDA. $
IDA .
Sync with uDraw. $
uDraw.
.
Use for stalking. $
.
.
Filter tag. $
. $
.
Clear tag. , ,
. PStalker , $
. $
.
Expand tag. $
,
( ).
1

http://pedram.openrce.org/PaiMei/docs/PAIMEIpstalker_flash_demo/

468

23.

Target/tag properties. ,
, .
Delete tag. .

PIDA PIDA,
.
, $
PIDA. $
PIDA $
. PIDA $
.


.

. . $

.
,
, $
,
PIDA.



PIDA. $
.
Retrieve List $
, .
$
. Functions
Basic Blocks .
Restore BPs ,
. . $
.
Heavy , $
.
. Unhandled Only, $
,
.
,
Attach and Start Tracking. $
.

469

$
. $
, DataRescues IDA Pro, , $
IDA Pro. , $
, .
. $
IDA Pro Make final pass , $
. , , $
,
.


,
PStalker. $
. $
. ,
.
MySQL.
: cc_hits, cc_tags, cc_targets.
, cc_targets $
, $
, :
CREATE TABLE 'paimei'.'cc_targets' (
'id' int(10) unsigned NOT NULL auto_increment,
'target' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;

SQL$ cc_tags,
, $
, :
CREATE TABLE 'paimei'.'cc_tags' (
'id' int(10) unsigned NOT NULL auto_increment,
'target_id' int(10) unsigned NOT NULL default '0',
'tag' varchar(255) NOT NULL default '',
'notes' text NOT NULL,
PRIMARY KEY ('id')
) ENGINE=MyISAM;

, cc_hits $
:
CREATE TABLE 'paimei'.'cc_hits' (
'target_id' int(10) unsigned NOT NULL default '0',
'tag_id' int(10) unsigned NOT NULL default '0',

470

23.
'num' int(10) unsigned NOT NULL default '0',
'timestamp' int(10) unsigned NOT NULL default '0',
'eip' int(10) unsigned NOT NULL default '0',
'tid' int(10) unsigned NOT NULL default '0',
'eax' int(10) unsigned NOT NULL default '0',
'ebx' int(10) unsigned NOT NULL default '0',
'ecx' int(10) unsigned NOT NULL default '0',
'edx' int(10) unsigned NOT NULL default '0',
'edi' int(10) unsigned NOT NULL default '0',
'esi' int(10) unsigned NOT NULL default '0',
'ebp' int(10) unsigned NOT NULL default '0',
'esp' int(10) unsigned NOT NULL default '0',
'esp_4' int(10) unsigned NOT NULL default '0',
'esp_8' int(10) unsigned NOT NULL default '0',
'esp_c' int(10) unsigned NOT NULL default '0',
'esp_10' int(10) unsigned NOT NULL default '0',
'eax_deref' text NOT NULL,
'ebx_deref' text NOT NULL,
'ecx_deref' text NOT NULL,
'edx_deref' text NOT NULL,
'edi_deref' text NOT NULL,
'esi_deref' text NOT NULL,
'ebp_deref' text NOT NULL,
'esp_deref' text NOT NULL,
'esp_4_deref' text NOT NULL,
'esp_8_deref' text NOT NULL,
'esp_c_deref' text NOT NULL,
'esp_10_deref' text NOT NULL,
'is_function' int(1) unsigned NOT NULL default '0',
'module' varchar(255) NOT NULL default '',
'base' int(10) unsigned NOT NULL default '0',
PRIMARY KEY ('target_id','tag_id','num'),
KEY 'tag_id' ('tag_id'),
KEY 'target_id' ('target_id')
) ENGINE=MyISAM;

cc_hits:
target_id tag_id. $
.
num. , $
, $
.
timestamp. UNIX$ (1 $
1970 , 00:00:00 GMT) , $
.
eip. , $
. $
.

471

tid. ,
eip. Windows $
, $
.
eax, ebx, ecx, edx, edi, esi, ebp esp.
$
. $
deref, ASCII$, $
. ASCII$
(stack), (heap) (global), $
. N/A , $
, $
.
esp_4, esp_8, esp_c esp_10. $
(esp_4 = [esp+4], esp_8 = [esp+8], . .).
is_function. . 1 ,
( eip) .
module. , .
base. ,
. $
eip , $
.

$
, Pstalker.


Pstalker $
. $
Gizmo Project1, VoIP Instant Messaging
(IM). . 23.6 $
Gizmo Project, .
Gizmo ,
. $
Skype2, Gizmo $
VoIP, Session Initiation Protocol (SIP RFC 3261),
. Gizmo
SIP$ . $
Gizmo VoIP.
, , $
.
1
2

http://www.gizmoproject.com/
http://www.skype.com/

472

23.

Gizmo

Map it

. 23.6. Gizmo Project

Gizmo
SIP$. , VoIP$$
, , SIP,
. $
SIP$. $
, $
, PROTOS
Test$Suite: c07$sip.1 4527 $$
, Java JAR$. $
INVITE$,
. PROTOS $
,

http://www.ee.oulu.fi/research/ouspg/protos/testing/c07/sip/

473

Codenomicon.1 SIP$
$
31 971 $.
, Utilize PStalker $
PROTOS. $
, $
.
.
$ PROTOS
20 .
:
$ java jar c07sipr2.jar h
Usage java jar <jarfile>.jar [ [OPTIONS] | touri <SIPURI> ]
touri <addr>
Recipient of the request
Example: <addr> : you@there.com
fromuri <addr>
Initiator of the request
Default: user@pamini.unity.local
sendto <domain>
Send packets to <domain> instead of
domainname of touri
callid <callid>
Call id to start testcase call ids from
Default: 0
dport <port>
Portnumber to send packets on host.
Default: 5060
lport <port>
Local portnumber to send packets from
Default: 5060
delay <ms>
Time to wait before sending new testcase
Defaults to 100 ms (milliseconds)
replywait <ms>
Maximum time to wait for host to reply
Defaults to 100 ms (milliseconds)
file <file>
Send file <file> instead of testcase(s)
help
Display this help
jarfile <file>
Get data from an alternate bugcat
JARfile <file>
showreply
Show received packets
showsent
Show sent packets
teardown
Send CANCEL/ACK
single <index>
Inject a single testcase <index>
start <index>
Inject testcases starting from <index>
stop <index>
Stop testcase injection to <index>
maxpdusize <int>
Maximum PDU size
Default to 65507 bytes
validcase
Send valid case (case #0) after each
testcase and wait for a response.
May be used to check if the target is still
responding. Default: off

http://www.codenomicon.com/

474

23.

, $
,
java jar c07sipr2.jar touri 17476624642@10.20.30.40
teardown
sendto 10.20.30.40
dport 64064
delay 2000
validcase

\
\
\
\
\

( touri).
delay Gizmo , $
, GUI $.
validance , PROTOS $
, $ .
, $
. , Gizmo $
. Gizmo, $
. 250 $.
$, !

Gizmo
[*] 0x004fd5d6 mov eax,[esi+0x38] from thread 196 caused access violation
when attempting to read from 0x00000038
CONTEXT DUMP
EIP: 004fd5d6
EAX: 0419fdfc
EBX: 006ca788
ECX: 00000000
EDX: 00be0003
EDI: 00000000
ESI: 00000000
EBP: 00000000
ESP: 0419fdd8
+00: 861c524e
+04: 0065d7fa
+08: 00000001
+0c: 0419fe4c
+10: 0419ff9c
+14: 0061cb99

mov eax,[esi+0x38]
( 68812284) > <CCallMgr::IgnoreCall() (stack)
( 7120776) > e(elllllllllllllllllllll (PGPlsp.dll.data)
(
0) > N/A
( 12451843) > N/A
(
0) > N/A
(
0) > N/A
(
0) > N/A
( 68812248) > NR (stack)
(2250003022) > N/A
( 6674426) > N/A
(
1) > N/A
( 68812364) > xN (stack)
( 68812700) > raOo|hoho||@ho0@*@b0zp (stack)
( 6409113) > N/A

disasm around:
0x004fd5c7
0x004fd5c9
0x004fd5ca
0x004fd5ce
0x004fd5d4
0x004fd5d6
0x004fd5d9

xor eax,esp
push eax
lea eax,[esp+0x24]
mov fs:[0x0],eax
mov esi,ecx
mov eax,[esi+0x38]
push eax

475


0x004fd5da
0x004fd5de
0x004fd5df
0x004fd5e4

lea eax,[esp+0xc]
push eax
call 0x52cc60
add esp,0x8

SEH unwind:
0419ff9c > 006171e8: mov edx,[esp+0x8]
0419ffdc > 006172d7: mov edx,[esp+0x8]
ffffffff > 7c839aa8: push ebp

touri dport , $
5060 ( SIP$)
Gizmo.
. 23.7 $
.
17476624642 Gizmo, 64064
SIP$.
, , $
, .
.

. 23.7. sip+ Gizmo

SIP, $
. , , $
SIPPhoneAPI.dll.
IDA Pro
pida_dump.py SIPPhoneAPI.pida. $
,
. PaiMei $

476

23.

. PaiMei
$.1 (. 23.8) $
Gizmo Idle,
Gizmo .
,
,
. Idle (. 23.9)
SIPPhoneAPI PIDA (. 23.10).

. 23.8. PaiMei PStalker

. 23.9. Idle
1

http://pedram.openrce.org/PaiMei/docs/

477

. 23.10. SIPPhoneAPI PIDA

. 23.11.

,
.
. 23.11 ,
. Refresh Process List $
. $
Gizmo, .
Coverage Depth Basic Blocks $
. . 23.10,
25 000 . ,
, ,
, .
Restore BPs , $
. , $
.
, Heavy. ,

. ,
,
$ .

478

23.

Start Stalking
Gizmo . $
,
PaiMei. $
PStalker. $
:
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
...
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]
[*]

Stalking module sipphoneapi.dll


Loading 0x7c900000 \WINDOWS\system32\ntdll.dll
Loading 0x7c800000 \WINDOWS\system32\kernel32.dll
Loading 0x76b40000 \WINDOWS\system32\winmm.dll
Loading 0x77d40000 \WINDOWS\system32\user32.dll
Loading 0x77f10000 \WINDOWS\system32\gdi32.dll
Loading 0x77dd0000 \WINDOWS\system32\advapi32.dll
Loading 0x77e70000 \WINDOWS\system32\rpcrt4.dll
Loading 0x76d60000 \WINDOWS\system32\iphlpapi.dll
Loading 0x77c10000 \WINDOWS\system32\msvcrt.dll
Loading 0x71ab0000 \WINDOWS\system32\ws2_32.dll
Loading 0x71aa0000 \WINDOWS\system32\ws2help.dll
Loading 0x10000000 \Internet\Gizmo Project\SipphoneAPI.dll
Setting 105174 breakpoints on basic blocks in SipphoneAPI.dll
Loading 0x16000000 \Internet\Gizmo Project\dnssd.dll
Loading 0x006f0000 \Internet\Gizmo Project\libeay32.dll
Loading 0x71ad0000 \WINDOWS\system32\wsock32.dll
Loading 0x7c340000 \Internet\Gizmo Project\MSVCR71.DLL
Loading 0x00340000 \Internet\Gizmo Project\ssleay32.dll
Loading 0x774e0000 \WINDOWS\system32\ole32.dll
Loading 0x77120000 \WINDOWS\system32\oleaut32.dll
Loading 0x00370000 \Internet\Gizmo Project\IdleHook.dll
Loading 0x61410000 \WINDOWS\system32\urlmon.dll
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger
debugger

hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit
hit

10221d31
10221d4b
10221d67
10221e20
10221e58
10221e5c
10221e6a
10221e6e
10221e7e
10221ea4
1028c2d0
1028c30d
1028c369
1028c37b

cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc
cc

#1
#2
#3
#4
#5
#6
#7
#8
#9
#10
#11
#12
#13
#14


. , $
, SIP,
Gizmo, .
,

479

Use for Stalking.


Idle Filter Tag. $
, . $
. . 23.12
, 4527 $ PROTOS.

. 23.12.

, PROTOS 6% 9% $
SIPPhoneAPI. $
, ,
$ .
$ , $
, ,
. , $
,
$. , Gizmo
$ PROTOS $
, Gizmo ,
.
$
, .
, PROTOS 1/7 $
, , $
7 ? , . ,
, $
.
,
?
.


, .
QA $

480

23.

, $
, $
.
, $
$, Codenomicon. $
,
, . $
:
.
, $
. $
, $
, ,
. .
, , $
, VoIP, ,
. $
, $
. ,
: VoIP 45 000 $
$. $
? , 45 000 $ 5000
. , , $
$
. , $
. $
$
: VoIP
45 000 $, 90% .
QA$ , $
$. $
. , $
, $, $
, parse_sip(). $
, , ,
, . $
. $
$
, .
,
,
$
. QA$ $
, . $
QA , $

481

,

.
, .
, $
, ,
.
, $
. ,
, . ,
, ,
.


, ,
.
$
.
$
, , , $
. , , $
, . ,
, $
$.

.
. 18.5.2
3B1 2
Intel IA32, Pentium 4 Xeon
:
BTF (single*step on branches) flag (bit 1)
TF EFLAG
,
. $
, (.
18.5.5 , $
).
, , $

.

1
2

ftp://download.intel.com/design/Pentium4/manuals/25366919.pdf
http://www.intel.com/products/processor/manuals/index.htm

482

23.

,
. , $
,

. , $
,
.
, ;
$ .
. $
PyDbg, ,
Branch Tracing with Intel MSR Registers1 OpenRCE $
. $
.

( ). ,
, ; $
, , $
. ,
. , ,
, . 23.13.

. 23.13.

, $
A, B, D $. $
? ,
$? $

http://www.openrce.org/blog/view/535

483

, $
, :
ABD
ABCD
ACD
, , $
, .
, , ,
66% .
$.

$
, , $
Python. , $
$
.
, $
. : ? $
: ?
, $
.
PaiMei
Pstalker . ,
. $
, .
$
.
$
,
, $
.

24


, .
$.,
, ,
31 2000

, . , .
, , $
. , $
. ,
$
. :
. $
, , , $
, $
.
$
, .
, , $


(dynamic binary instrumentation (DBI)). , $
, , , $
, , .

485


, 50 000
IMAP$,
IMAP$ ,
$? . .
, $ , $
, $
. , , .

$. , , $
$, PROTOS $
. IMAP, ,
, $ :
x001 LOGIN AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
x001 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

TCP$
$ 143 ( IMAP$). $
, $ $
. , Codenomi$
con, , $
($ ) $. $
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.tcp_connect(143):
fuzzer.log_fault(case)

,
. , ,
paimei whiteeyebrow IMAP$, $
, , $
paimei.
,
$.
:
for case in test_cases:
fuzzer.send(case)
if not fuzzer.imap_login("paimei", "whiteeyebrow"):
fuzzer.log_fault(case)

, , $
, $
. .
, , , IMAP$$
500$ $ . !

486

24.

, !
, ,
, 500$ $, , $
, . ? $
. , , $
$ IMAP$$
, 500$ $ $
. 500$ $
.
, +
.
: , $ $
1$ 499$ IMAP$, 500$ $
, , $
. ,
. :
# find the upper bound:
for i in xrange(1, 500):
for j in xrange(1, i + 1):
fuzzer.send(j)
fuzzer.send(500)
if not fuzzer.tcp_connect(143):
upper_bound = i
break
fuzzer.restart_target()
# find the lower bound:
for i in xrange(upper_bound, 0, 1):
for j in xrange(i, upper_bound + 1):
fuzzer.send(j)
fuzzer.send(500)
if fuzzer.tcp_connect(143):
lower_bound = i
break
fuzzer.restart_target()


,
.
1$ n$ , 500$, n 1.
, $
.
. $
$, $
500$

487

. , , , $
, $
$. , , $
$ 15$ 20$ 500, $
15$ 20$ $
. .
$
. ,
, . ,
, .

?

, , $
.
. , ,
, $
, .
, , $
. $
, . $
, ,
, $ .
,
. $

. , $
.
, , $
,
$
.
IMAP$. $
,
, ,
. $
, . $
, $
, :

;
.

. C

488

24.

0x12FFFEEE

arg2
arg1
EIP
EBP

int x
char buf[16]

int y

0x12000000

. 24.1.

, , $
. 24.1.
void taboo (int arg1, char *arg2)
{
int x;
char buf[16];
int y;
strcpy(buf, arg2);
}

, $
, $
,
.
taboo() , $
. CALL $
(
EIP) . , , $
. $
($
EBP) . ,
($
ESP). ,
. 24.1.

489

. 24.1,
.
. arg2 16 ($
buf), strcpy()
buf , $
x, ,
, . . $
, arg2 A, EIP $
0x41414141 (0x41 $
ASCII$ A).
taboo() , RETN $
EIP $
, 0x41414141.
0x41414141
.
, $
0x41414141 $
ACCESS_VIOLATION. , $
arg2, 16, 20 ,
.
, $

(NX1) , $
0x4141414 ACCESS_VIO$
LATION. ,
, . , $
. $
.
$
C, (. . 24.1):
void taboo_two (int arg1, char *arg2)
{
int *x;
char buf[] = "quick brown dog.";
int y = 10;
x = &y;
for (int i = 0; i < arg1; i++)
printf("%02x\n", buf[i]);
strcpy(buf, arg2);
printf("%d\n", *x)
}

http://en.wikipedia.org/wiki/NX_bit

490

24.

, $
,
x y. $
buf, $
arg1. $
, ,
, 16 printf().
, , $
, .
x,
, $
, . . arg1
ACCESS_VIOLATION ,

, ,
, $
.
, $
. , , , arg2
20 A ( 4 , buf),
$ x; $
,
. , printf(), $
, $
ACCESS_VIOLATION 0x41414141.
, $
, $
:
void syslog_wrapper (char *message)
{
syslog(message);
}

API$ syslog() $
.
syslog() ,
message, , ,
. $
, $
, , . , $
%s%s%s%s%s, 5
,
. $
%s ACCE_VIOLATION.
, , $
, NULL$, ,

491

NULL. , $
$
.
$
C, (. . 24.1):
void taboo_three (int arg1, char *arg2)
{
int x;
char buf[] = "quick brown dog.";
int y;
buf[arg1] = \0;
}

, $
, , $
buf , arg1. $
, 16 $
.
, , $
, , .
, ,
.
;
, , $
:1
char *A = malloc(8);
char *B = malloc(16);
char *C = malloc(24);
strcpy(A, "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP");
free(B);


, .

, $
. 24.2.

. 24.2.

http://doc.bughunter.net/buffer+overflow/free.html

492

24.

strcpy(), ,
A, ,
P. ,
. $
? free(B)
B A C. :
B>backward>forward = B>forward
B>forward>backward = B>backward


, , strcpy(),
B 0x50505050 (0x50 $
ASCII$ P). $
.


,
.
. $
, $
$
C$
.1 $

, .
,
, $
, $

DoS. , $
, .
1

http://www.cs.drexel.edu/~spiros/research/papers/WCRE03a.pdf


, $
$
, $
. , , ,
, $

493

, $
. $
.
, . . ,
, .
, , , $
, , $
. A
0x41414141.
, , $
ACCESS_VIOLATION; $
, . $
, $
, , .
4
, ?

( 0x800000000xFFFFFFFF),
.
, $
. , $
%s, $
.
%s ,
, , $
, .
? , $
,
%n .
%n ,
$
. %n, %s, $
, $
. %n%s
, %n $
(. 6 )
, .
6
.


,
,

494

24.

. ,
,

. , $
PaiMei.1 $
,
, . 24.3. ,
Windows$, ,
, Intel IA$32.

. 24.3.


, , $
IMAP$.
, .
. $
,
,
, $
, , $
. , $
Python:
from pydbg import *
from pydbg.defines import *
import utils
def av_handler (dbg):
crash_bin = utils.crash_binning.crash_binning()
crash_bin.record_crash(dbg)

https://www.openrce.org/downloads/details/208/PaiMei

495

# signal the fuzzer.


print crash_bin.crash_synopsis()
dbg.terminate_process()
while 1:
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATON, av_handler)
dbg.load(target_program, arguments)
# signal the fuzzer.
dbg.run()

PaiMai $
, , Python .
,
$
Windows PyDbg1.
. PaiMei.utils2 ,
. $
crash_binning, .
while, $
PyDbg av_handler()
ACCESS_VIO$
LATION. , $
, .
$
.
$
, , .
$
run() ( debug_event_loop()).
$
av_handler().
$
PyDbg.
PaiMei$ crash_binning.
, $
. , , $
record_crash():
. , ,
, ACCESS_VIOLATION.
. , ,
.
1
2

http://pedram.redhive.com/PaiMei/docs/PyDbg/
http://pedram.redhive.com/PaiMei/docs/Utilities/

496

24.

. , $
.
. $
, . 4
1234
0xDEADBEEF 0xC0CAC01A
.

64 Windows
32$ Win$
dows ,
. .
EBP. $
EBP. $
EBP+4. $
(TEB), FS1: FS[4] $
FS[8] .
, $
, EBP$ .

, , $
EBP $
. EBP$ $

EBP:
MOV EAX, [EBP0xC]
; EBPbased framing
MOV EAX, [ESP+0x440xC] ; frame pointer omitted
, $
,
. Microsoft 64$$
,
MSDN.2 , $
( $
)
, Portable Executable$$
(PE)3, .
1

2
3

http://openrce.org/reference_library/files/reference/Windows%20Me+
mory%20Layout,%20User+Kernel%20Address%20Spaces.pdf
http://msdn2.microsoft.com/en+us/library/7kcdt6fy.aspx
http://www.uninformed.org/?v=4&a=1&t=sumry

497

. .
. , .
. $
, . $
.
. .
32$$
Windows$, , $
, . $
23 $
.
SEH+. (Structu$
red Exception Handler (SEH)). ,
, ,
, ,
.

,
, $ , $
.
, , $
$.
, , $
, record_crash(), $
, . while $
. PyDbg,
20 : .
, . PyDbg
$
. , .
, $
, $
, , $, .
,
.
.


IMAP, . $
: , 50 000 $
$. $
, 1000 $
. $
, , .
:

498

24.
Test case 00005: x01 LOGIN %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=11223300 ECX=FFFF7248
EIP=0x00112233: REP SCASB
Test case 00017: x01 AUTHENTICATE %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=00000000 ECX=FFFFFF70
EIP=0x00112233: REP SCASB
Test case 00023: x02 SELECT %s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
EAX=47392700 ECX=FFFEEF44
EIP=0x00112233: REP SCASB

. $
$
( ). , $
, ,
$ , $
. ,
REP SCASB, $
, 1000 .
.
. SCASB IA$32
, AL (
EAX). AL=0.
REP ECX,
ECX 0. ECX
. ,
. ,
.
. 1000 $, ,
,
( ).
(, ). ? , .
, PaiMei$ crash binning
.

.
record_crash() $
. . $

1000 50 000 $ :
50 000 $ 650 0x00112233,
300 0x11335577, 20 0x22446688 . . $
:
from pydbg import *
from pydbg.defines import *
import utils

499

crash_bin = utils.crash_binning.crash_binning()
def av_handler (dbg):
global crash_bin
crash_bin.record_crash(dbg)
# signal the fuzzer.
for ea in crash_bin.bins.keys():
print "%d recorded crashes at %08x" % \
(len(crash_bin.bins[ea]), ea)
print crash_bin.crash_synopsis()
dbg.terminate_process()
while 1:
dbg = pydbg()
dbg.set_callback(EXCEPTION_ACCESS_VIOLATON, av_handler)
dbg.load(target_program, arguments)
# signal the fuzzer.
dbg.run()

,
. : $
$
.
,
. $
,
. $
,
crash_synopsis().
$
$
, . $
. $
$
, (. 24.4).
. 24.4
.
. $
, . $
50 000 $ 650
0x00112233, 300 0x11335577, 20
0x22446688 50 000 $ 650
0x00112233, 400 x, y, z, 250 a, b, z
. . , $
.

500

24.

0x33234567

0x77234567

0x66234567
0x11234567

0x55234567
0x11234567

0x22234567

0x44234567
logger()

0x00112233

0x11335577

0x22446688

. 24.4.

0x00112233 0x11335577. $
,
.
logger(). ? , $
.

IMAP$, , $
IMAP$
. , $
,
. $
.

:
.
, , Mi$
crosoft Windows , $

501

.1 ,
. , ,
. , $
, , .
, $
, . $
, $
, EXCEPTION_DEBUG_INFO.2
PyDbg $
:
def access_violation_handler (dbg):
if dbg.dbg.u.Exception.dwFirstChance:
# first chance
else:
# last chance

dwFirstChance , $

. $
? , ,
. , ,
IMAP$
$
logger():
void logger (char *message)
{

try
{
// format string vulnerability.
fprintf(log_file, message);
}
except
{
fprintf(log_file, "Log entry failed!\n");
}

try/except fprintf() $
. , fprintf() $
, fprintf() .
, $
, IMAP$
1
2

http://msdn.microsoft.com/msdnmag/issues/01/09/hood/
http://msdn.microsoft.com/library/default.asp?url=/library/en+us/wcecore+
os5/html/wce50lrfexceptiondebuginfo.asp

502

24.

. , $
! , .
, , $

. $
, . $
, .
, $
, $

.
.


. ,
5 ,
DBI. , $
,
. , $
, $
. DBI $
.
23 , $
,
, , $
. DBI
, $
$ .

. $
$
RISC$ .
DBI
$ . API DBI $

.

DBI$, DynamoRIO1, DynInst2 Pin3. DynamoRIO,
,
HewlettPackard. DynamoRIO $
1
2
3

http://www.cag.lcs.mit.edu/dynamorio/
http://www.dyninst.org/
http://rogue.colorado.edu/pin/

503

IA$32 Microsoft Windows,


Linux. DynamoRIO ,
,
Memory Firewall1 Determina2. $
DynamoRIO Determina
, Se$
cure Execution Via Program Shepherding ( $
).3 PinDBI , , $
DBI$, $
, , $
DBI.
DBI
:
, $
. $
:
char *A = malloc(8);
char *B = malloc(16);
char *C = malloc(24);
strcpy(A, "PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP");
free(B);


,
strcpy(). , $
. $
.
$
$
, free().
DBI $
.
$
.
,
.
$
.
, , .
,
DBI, . , $
1
2
3

http://www.determina.com/products/memory_firewall.asp
http://www.determina.com/
http://www.determina.com/products/memory_firewall.asp

504

24.

. $
, IBM Rational Purify1, Compuware DevPartner
BoundsChecker2, OC Systems RootCause3 Parasoft Insure++4. Purify,
, Static Binary Instrumentation (SBI), BoundsChe$
cker SBI DBI. ,
$
. , $
Valgrind5. Valgrind
DBI, ,
Memcheck, $
. Valgrind
, $
Annelid.6
, $
$, $
.


, $
. DBI, DBI$
, $
.
, ,
$
$. $
, $ , $
, .
$

.

1
2
3
4
5
6

http://www+306.ibm.com/software/awdtools/purify/
http://www.compuware.com/products/devpartner/visualc.htm
http://www.ocsystems.com/prod_rootcause.html
http://www.parasoft.com/jsp/products/home.jsp?product=Insure
http://valgrind.org/
http://valgrind.org/downloads/variants.html?njn

IV

25.
26.

25

: ?
$.,
, ,
11 2000

, $
, ,
.
, $
: , $
. $
(SDLC, software development life$
cycle) , $
.


$ $
$
,
, SDLC. Microsoft $
Trustworthy Computing Security
Development Lifecycle (
, ).1 $
1

http://msdn.microsoft.com/library/default.asp?url=/library/en+us/dnsecure/
html/sdl.asp

508

25.


, , $
, $
(Security Development Lifecycle, SDL). Microsoft
SDL, SDLC; $
. 25.1.

. 25.1. SDLC SDL Microsoft

, Microsoft
SDLC. $
, $
SDLC.
SDLC,
. ,
$

.
SDLC ,
(Winston Royce)1 $
1

http://en.wikipedia.org/wiki/Waterfall_process

509

. $
: $
. . 25.2.

.

Microsoft
, Microsoft
SDLC. Microsoft
, , $
. , Mi$
crosoft , $
,
.
, , Microsoft Internet Information Services (IIS)1,
$ Microsoft. 14 $
5.x.2 6.x,
2003 , 3, $
.
$
$
/GS4, (Data Execution
Prevention, DEP) $
(Safe Structured Exception Handling, SafeSEH)5; $
Windows Vista $
(Address Space
Layout Randomization, ASLR).6 Microsoft $
$
, , Secure Windows Initia$
tive.7 , $
$
, .
1
2
3
4
5
6

http://www.microsoft.com/WindowsServer2003/iis/default.mspx
http://secunia.com/product/39/?task=advisories
http://secunia.com/product/1438/?task=advisories
http://msdn2.microsoft.com/en+US/library/8dbf701c.aspx
http://en.wikipedia.org/wiki/Data_Execution_Prevention
http://www.symantec.com/avcenter/reference/Address_Space_Lay+
out_Randomization.pdf
http://www.microsoft.com/technet/Security/bestprac/secwinin.mspx

510

25.

. 25.2.

,
. $
, $
. SDLC , $
,
,
.

$
. $
,
. $
,
.
, $
. $
, .
, $
. ,
. , $
Linux, .
Windows,
ActiveX,
$? ,
COM$.
$
SDLC. , , $

511


, , , $
$
(Extensible Messaging and Presence Protocol, XMPP). $
XML$,
1999 Jabber.1
.
$
XMPP XMPP .

. , $

. , ,
.
, . $

, , $ $
. ,
.

$
.
,
. $
$
.

,
. $
, . $
ActiveX, .
19 20
: ,
. $
$
,
, , $
.
, $
, $
, $

http://www.jabber.org/

512

25.

. ,
, , $
. ,
, $
,
. ,
SLDC ,
. ,
.

, $
. $
, . . . $
, $
. ,
, SLDC, . .
.
,
, $
, . SDLC $
$
, $
, .
,
$
, . $
. ,
$
, $
, $
. $
, , $
, , ,
.

, $
, , $
, , $
. $
, ,
, . $
, $
. ,

513

$
$
. , $
, ,
$ . ,
32$ , 64$.
,
.
$
.
, ,
. $
,
, $
,
.

SDLC
, $
,
. , $
, SDLC , $
. , $

. .
$
SDLC, .

$
. $
, .

, $
$
, .
$
(IDE), $
. , Microsoft Visual Studio IDE $
C# Visual Basic Windows, Eclipse
Java $
.
IDE$$
,

514

25.

. DevInspect1
SPI Dynamics, ,
. DevInpect , $
Visual Studio Eclipse ,
, $
ASP.Net Java .


$
, . , , $
$ ,
,
.
, $
, .
$
. , $
$
. ,
, .
, $
. $
, ,
,
,
. $
. $
.


$ .
$
$
.
SDLC. $
. SDLC $
,
. , Microsoft
BlueHat Security Briefings2,
.

1
2

http://www.spidynamics.com/products/devinspect/
http://www.microsoft.com/technet/security/bluehat/sessions/default.mspx

515

$
SDLC.
, , $
, . 25.3.
,

$
.
, $

,
.

100X

15X

6.5X
1X

. 25.3. SDLC

, $
: , $
. ,
, . $
,
.
$
SDLC. $
, .
,
,
.

26

, .
$.,

3 11 .
, ,
20 2001

?
,
SDLC. $
, ,
, $
.
, , $
.


,
. $
$
. Microsoft $

SDLC, ,
$
.
, .

517

beSTORM1 Beyond Security


beSTORM ,
$
. Beyond Security
, $ SecuriTeam2, $
. , $
beSTORM, :
HTTP Hypertext Transfer Protocol ( $
)
FrontPage
DNS Domain Name System ( )
FTP File Transfer Protocol ( )
TFTP Trivial File Transfer Protocol ( $
)
POP3 Post Office Protocol v3 ( )
SIP Session Initiation Protocol ( )
SMB Server Message Block ( )
SMTP Simple Mail Transfer Protocol (
)
SSLv3 Secure Sockets Layer v3 ( )
STUN Simple Traversal of User Datagram Protocol (UDP) Through
Network Address Translators (NATs) ( UDP
( ) NAT
( ))
DHCP Dynamics Host Configuration Protocol ( $
)
beSTORM Windows, UNIX Linux $
.3

. be$
STORM ,
UNIX Linux. . 26.1 $
beSTORM.

1
2
3

http://www.beyondsecurity.com/
http://www.securiteam.com/
http://www.beyondsecurity.com/beSTORM_FAQ.pdf

518

26. ,

. 26.1. beSTORM Beyond Security

BPS1000 BreakingPoint Systems1


BreakingPoint . $
, . BPS$
1000 ,
5 TCP 500 000 (. 26.2). $
BPS$1000 ,
.

. 26.2. BPS+1000 BreakingPoint Systems


1

http://www.breakingpointsystems.com/

519

BPS$1000 AC$
,
$.

Codenomicon1
Codenomicon , ,
. Codenomicon
PROTOS2, , $
. (, ). PROTOS $
2002 , $
,
SNMPv1. PROTOS
SNMPv1 $
.
, $
, , $
, .3
, $
, ,
. $
PROTOS SNMPv1 ,
, $
$
.4 PROTOS
$
, :
WAP Wireless Application Protocol ( $
)
HTTP Hypertext Transfer Protocol ( $
)
LDAPv3 Lightweight Directory Access Protocol v3 (
)
SNMPv1 Simple Network Management Protocol v1 ( $
)
SIP Session Initiation Protocol ( )
H.323 , $

1
2
3

http://www.codenomicon.com/
http://www.ee.oulu.fi/research/ouspg/protos/
http://www.ee.oulu.fi/research/ouspg/protos/testing/c06/snmpv1/index.html
#h+ref2
http://www.cert.org/advisories/CA+2002+03.html

520

26. ,

ISAKMP Internet Security Association and Key Management Proto$


col ( $
)
DNS Domain Name System ( )


, PROTOS.

, $
, . 26.3.
Codenomicon
( ). $
$30 000 .
, $
, $
, , , , $

. $
. Codenomicon $
, ,
. 24 $

. 26.3. Codenomicon DNS

521

, $
.

GLEG ProtoVer Professional1


GLEG , Vuln$
Disco2, ,
$
CANVAS3 Immunity, Inc. GLEG
, $
VulnDisco.
ProtoVer Professional; Python. $
:
IMAP Internet Message Access Protocol ( $
)
LDAP Lightweight Directory Access Protocol ( $
)
SSL Secure Sockets Layer ( )
NFS Network File System (
)
,
GUI $, . 26.4.
ProtoVer $
. $4500 $
.
.

Mu Security Mu4000
Mu Security Mu$40004, $
,
. Mu$4000 $
, BreakingPoint,
$ ,
. $
Mu$4000 $
Linux,
Mu ,
. Mu ,
. , DHCP,
. 26.5.
1
2
3
4

http://www.gleg.net/protover_pro.shtml
http://www.gleg.net/products.shtml
http://www.immunitysec.com/products+canvas.shtml
http://www.musecurity.com/products/mu+4000.html

522

26. ,

. 26.4. GLEG ProtoVer Professional: +

. 26.5. Mu SecurityMu+4000

523

Security Innovation Holodeck


Holodeck1 Security Innovation $
,
$
, Microsoft Windows.
, $
, .
:
,
COM;
, $
, .
Holodeck $1495
API, $
$
. Holodeck . 26.6.
, , $
$
. ,
. $
.
,
$ .

. 26.6. Holodeck Security Innovation

http://www.securityinnovation.com/holodeck/

524

26. ,



, ,
, $
.
$ , , $
. $
.
, , $
, $
. , $
. $
.
, ,
? 23 $
,
. , $
.
. $
,
,
$
. ,

$,
$
. , $
.


, , $
; $
. $
, ,
, ,

. $
$
, $
, $
. ,
, Microsoft Visual Studio Eclipse. $
$

525

$
, IBM Mercury. , $
,
.
DevInspect SPI Dynamics QAInpect,
.

? $
, .
$
. $
, , $
, $
,
. $
, .

, $

,
.
, $
24. $
. ,
.

. , $
( 24), IBM, Compuware, Para$
soft OC Systems , ,
, .
, , $
. $
, $
. ,
$
. ? $
, , $
$
: $
, .

Accept, , 143
Accept$Encoding, , 143
Accept$Language, , 143
ActiveX, , 304
Adobe Acrobat PDF,
, 313
WinZip FileView, 317
, 304
, 307
, 316
, 309
, 317
, ,
, 312
, 316
, 292
Adobe Acrobat PDF
, 313
, ,
211
AIM (AOL Instant Messenger), ,
73
, 74
, 75
, 75
ap.getPayload(), , 373
apKeywords(), , 371
Apple Macbook, , 247
argv, , 125
ASCII, , 221
ASP (application service provider), 135
ASP.Net, 137
Autodafej, 387
av_handler(), , 495
AWStats Remote Command Execution
Vulnerability, $, 139
AxMan, 49

BeginRead(), , 174
BeginWrite(), , 174
beSTORM, 161, 517
BinAudit, 43
BindAdapter(), , 278
bit_field, , 395
Blaster, , 244
BoundsChecker, 504
bp_set(), , 350
BreakingPoint, 518
btnRequest_Click(), , 175
BVA (boundary value analysis), 45
byref(), , 336

C
cc_hits, , 469
CCR (
), , 100
cc_tags, , 469
CFG (control$flow graph)

, 450
, 450
, 449
CFG (control$flow graphs), 456
$,
456
CGI (Common Gateway Interface), 136
CISC (Complex Instruction Set Computer),
, 454
clfuzz, 61
Code Red, , 244
Codenomicon, 64, 519
, 47
HTTP, 161
COM (Component Object Model), 303

527


ActiveX,
Adobe Acrobat PDF,
, 313
WinZip FileView, 317
, 305
Raider, 292
VARIANT, , 313
, 304
, 304
, 304
commands, , 119
Common Gateway Interface (CGI), 136
Computer Associates Brightstor,

, 441
CONNECT, , 146
Connection, , 144
ContinueDebugEvent(), , 340
Convert, 385
Cookie, , 144
cookies, 150
crashbin_explorer.py, , 423
CRC (Calculating Cyclic Redundancy
Check), , 369
CREA, , 266
CreateFile(), , 318
CreateProcess(), , 36, 318
CreateProcess, , 338
create_string_buffer(), , 336
CSRF (Cross$Site Request Forgery), 155
CSS (Cascading Style Sheet)
CSSDIE, , 48, 65, 293
, 294
CSSDIE, 48, 65, 293
ctypes, , 335

D
DataRescue Interactive Disassembler Pro
(IDA Pro), 455
DBI (Dynamic Binary Instrumentation),
91, 502
DynamoRIO, 502
Pin, 502
, , 503
, 503
, 91
DebugActiveProcess(), , 338
DEBUG_EVENT, , 340
DebugSetProcessKillOnExit(), ,
338

DELETE, , 146
DevInpect, , 514
Dfuz, 373
, 373
, , 374
, , 376
, , 375
, 376
, 374
DHTML ( HTML), 48
Distributed COM (DCOM), 304
DOM (Document Object Model), 305
DOM$Hanoi, 65
DoS (Denial$of$service)
$, 299
$, 153
DownloadFile(), , 318
Dynamic Data Exchange (DDE), 304
DynamoRIO, , 502

E
Enterprise Resource Planning (ERP), 139
ERP (Enterprise Resource Planning), 139
Ethereal, , 351
Excel, , eBay, 219
Execute(), , 318
eXternal Data Representation (XDR), 249

F
File Transfer Protocol (FTP), 72, 377
FileAttributes, (Flash), 392
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221

, 222
, 89
, 236
, 229
, 230
, 231
, , 230

, 233
, 229
, 230

528
, 229
, , 229
, 217
, 240
find, , 115
Flash, 298
flatten(), , 396
FTP (File Transfer Protocol), 379
func_resolve(), , 350
fuzz_client.exe, 350
fuzz_server.exe, 350
OllyDbg, 352
WS2_32.recv(),
, 352
, 362
, 355
, 352
, 361
, 352
fuzz_trend_server_protect_5168.py, 431

G
GDB (GNU Debugger), 42, 118
GDI+ , ,
236
GET, , 145
GetCurrentProcessId(), , 335
getenv, , 118119
getopt, , 125
GetThreadContext(),
, 344
GetURL(), , 318
Gizmo Project, , 471
SIP
, 475
, 472
, 476
, , 476
, 478
, 479
, 471
, 472
, , 476
GNU Debugger (GDB), 42, 118
GPF (General Purpose Fuzzer), 384

H
Hamachi, 48, 65
handler_bp(), , 350
HEAD, , 145


HewlettPackard Mercury LoadRunner,
, 282
Holodeck, 523
Host, , 144
HTML (Hupertext Markup Language)
, 168
, , 290
HTTP (Hypertext Transfer Protocol)
, , 167
, 156
, 154
, 149

I
IAcroAXDocShim, , 314
IBM
AIX 5.3, , 131
ICMP, , 446
IDA (Interactive Disassembler), 41
IDA Pro (DataRescue Interactive Disas$
sembler Pro), 455
IDE (
), 513
iFUZZ, 61
getopt, , 126

argv, 125
getenv,
, 126
/
,
125
, 132
, 127
Fork, Exe$
cute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace, 129
, 131
, 124
, 130
IID (ID ), 305
Inspector, 43
INT3, , , 341
IObjectSafety, , 311
Ipswitch
I$Mail
, 437
Imail

529


Web Calendaring,
, 179
Whatsup Professional,
SQL, 182
Whatsup Professional SQL Injection
attack, 139

J
Java, 137
JavaScript, 137

K
kill bitting, 312

L
libdasm, , 97
libdisasm, , 97
Libnet, , 98
LibPCAP, , 98
LogiScan, 43

M
Macbook, , 247
Macromedia Flash, 298
mangleme, 65
Matasanos Protocol Debugger, 440
MATRIX, , 397
Metro Packet Library, 98
Microsoft
NDIS, , 274
SAMBA, 437
Windows
Live/Office Live, 135
, 321
, 509

(MSRPC), 63

, 31

Excel, , eBay, 219


GDI+ , 218,
236
Outlook Express NTTP,
, 463
Outlook Web Access Cross$Site
Scripting, 138
PNG, 218

WMF, 218
, 38
, 243
MLI (mutation loop insertion), 327, 333
MMalloc(), , 103
MSRPC (
), 63
Mu Security, 49
Mu$4000, 521
Multiple Vendor Cacti Remote File Inclu$
sion Vulnerability, $, 139
mutation loop insertion (MLI), 333

N
NDIS, , 274
Netcat, 72
Network News Transfer Protocol (NNTP),
462
NMAP (NetMail Networked Messaging
Application Protocol), 255
SPIKE NMAP, ,
263
, 255
NNTP (Network News Transfer Protocol),
462
notSPIKEfile, 62
UNIX, 207
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208
, 201

, 202

RealPix, 212
, 214
NW (Needleman Wunsch), ,
445

O
OASIS (

), 77
ODF (OpenDocument format), 77
Office Live, 135

530
OllyDbg, 352
WS2_32.recv(), ,
352
, 354
, 354
, 355
, 355
OnReadComplete(), , 174
open XML, , 78
OpenDocument format (ODF), 77
OpenSSH,
, 246
OPTIONS, , 146
OSCAR (
), 73
Outlook Express NTTP,
, 463
OWASP (WebScarab), 64

P
PAGE_EXECUTE, , 322
PAGE_EXECUTE_READ, , 322
PAGE_EXECUTE_READWRITE,
, 322
PAGE_NOACCESS, , 322
PAGE_READONLY, , 322
PAGE_READWRITE, , 322
PaiMei, 464
PIDA, , 465
PaiMei,
ActiveX, 318
PaiMei,
, 464

, , 494
, , 497
crash binning, 498
SWF, 402
PAIMEIfilefuzz, 62
PAM (Percent Accepted Mutation), 446
parse(), , 325
Pattern Fuzz (PF), 385
PDB (Protocol Debugger), 440
PDML2AD, 389
Peach, , 381
, 381
, 382
, 383
, 381
, 382


, 382
Percent Accepted Mutation (PAM), 446
PF (Pattern Fuzz), 385
PHP (Hypertext Preprocessor), 136
phpBB Group phpBB Arbitrary File Dis$
closure Vulnerability, $, 138
PI (Protocol Informatics), 445
PIDA, , 465
Pin DBI, , 502
PNG, , 218
POST, , 151
printf(), , 266
process_restore(), , 361
process_snapshot(), , 359
ProgID ( ),
305
Protocol Debugger (PDB), 440
Protocol Informatics (PI), 445
ProtoFuzz
NDIS, , 274
, 270
,
, 275
, 272

, , 275
, 269
, 272
, 284
, 281
, 270
, 276
, 279
, 281
, 278
, 277

/,
281
, 274
, 275
PROTOS, 47, 519
ProtoVer Professional, 521
ProxyFuzzer, 439
PStalker
Gizmo Project,
SIP, , 475
SIP$, , 472
, 476
, , 476
, 478

531


, 479
, 471
, 472
, , 476

, 468
, 468
, 467
, 469
, 469
ptrace, , 122
PTRACE_TRACEME, , 206
PureFuzz, 384
PUT, , 145
PyDbg, , 348

, 356
Python
ctypes, , 335
PaiMei, , 464
PIDA, , 465
,
494
, 464

, 497
crash binning, 498
SWF, 402
Protocol Informatics (PI), 445
PyDbg, , 348

, , 460

, 356
COM, 307
, 99
PythonWin COM, , 307
PythonWin,
, 307

R
randomize(), , 396
Rational Purify, 504
RATS (Rough Auditing Tool for Security),
33
RCE (reverse code engineering),

, 43
, 40
ReadProcessMemory(), , 336

RealPlayer
, ,
212

RealPix, 212
RealServer ../ DESCRIBE, ,
246
ReceivePacket(), , 278
record_crash(), , 498
RECT, , 396
Reduced Instruction Set Computer
(RISC), , 454
RFCs ( ), 77
RGB, , 396
RISC (Reduced Instruction Set Comput$
er), , 454

S
SAMBA, 437
SAP Web Application Server sap$exiturl
Header HTTP Response Splitting, $
, 139
s_block_end(), , 261, 410
s_block_start(), , 261, 410
s_checksum(), , 414
SDL (Security Development Lifecycle),
508
SDLC
, 91
SDLC (Software Development Lifecycle)
Microsoft SDL, 508
, 508
, 510
, 512
, 510
, 511
, 512
SDLC (software development lifecycle), 91
SecurityReview, 43
SEH (Structured Exception Handler), 497
self.push(), , 416
set_callback(), , 350
setgid, , 115
setMaxSize(), , 373
setMode(), , 373
SetThreadContext(), , 344
setuid
, 115
, 60
Sharefuzz, 61

532
Sidewinder (), 452
SIGABRT, , 207
SIGALRM, , 208
SIGBUS, , 207
SIGCHLD, , 208
SIGFPE, , 208
SIGILL, , 207
SIGKILL, , 208
SIGSEGV, , 207
SIGSYS, , 207
SIGTERM, , 208
Simple Web Server,
, 180
SIP
, 475
, 472
SIPPhoneAPI, , 475
smart(), , 396
SPI Dynamics Free Bank,
, 184
SPI Fuzzer, 64, 161
SPIKE, 48, 63, 378
Proxy, 160

, 261
,
, 262
, 381
, 263
TCP, 259

, 378
FTP, 379
UNIX, 254
SPIKE NMAP,
, 263
, 255
, 259
SPIKEfile
UNIX, 207

, 202
, 203
, 203
forking off/
, 205
UNIX, 208
, 201
, ,
211
$, 208


, 201
, 214
s_repeat(), , 414
SRM (snapshot restoration mutation),
328, 333
sscanf(), , 444
SSH ( ), , 87
s_sizer(), , 413
strcpy(), , 32
Structured Exception Handler (SEH), 497
'su', , , 114
Sulley, , 403
RPC, ,
, 427
, 431
, 431
, 428
, 429
, 410
, 410
, 412
, 411
, 403
$, 403
, 431
, 409
, 428
, 417
, 419
$, 422
, 419
, 417
, 429

, 419
, 408
, 404
, 406
, 422
, , 431
, 413
, 414
, 415
, 414
, 413
, 407
, 415
SuperGPF, 384
SW (Smith Waterman),
, 445
SWF (Shockwave Flash), 390

533


bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391

, 401
, 391
, 391
, 403
,
400
, 402
, 400
, 391
syslog(), , 490

T
taboo(), , 488
TCP/IP, , 248
TcpClient, , 171
Thread32First(),
, 345
to_binary(), , 396
to_decimal(), , 396
TRACE, , 146
Trend Micro Control Manager,
, 178
Trustworthy Computing Security Devel$
opment Lifecycle document (Microsoft),
38
TXT2AD, 389
type, length, value (TLV),
, 368

U
UNIX
,
207208
, 255
, 117
unmarshal(), , 325
UPGMA (Unweighted Pairwise Mean by
Arithmetic Averages), , 446
URL, , 299
User$Agent, , 144

V
Valgrind, 504

VARIANT, , 313
VirtualQueryEx(), , 346
VML ( ), 291

W
WebFuzz
, , 180
, 187

HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL, , 182

,
170
, 165
, 164
, 169
, 170
, 176
, 175
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
WinDbg, 42
Windows
Explorer, ,
225, 228
Live, 135
WMF, , 218
, 321
,
337
, ,
228
, 216
, 228
winnuke, 248
WinPcap, , 275
WinRAR, 193
WinZip

534

MIME, 189
WinZip,
FileView ActiveX Control Unsafe
Method Exposure, 317
Wireshark, 97
$, 351
, 256
WMF, , 218
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, $, 139
Wotsit, $, 438
write_process_memory(), , 361
WriteProcessMemory(), , 336
WS2_32.recv(), , 352

X
XDR (eXternal Data Representation), 249
xmlComposeString(), , 425
XML$, , 291
XSS (Cross$site scripting), 153, 184

, 33
, 30
, 368
, 494
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 95
, 96

, 95

, 445
, 448
, 439

, 59

, 251

, 491
, 489
, ,
301

(), 448
CFG ,
450
CFG
, 450
CFG
, 449
Sidewinder, 452

, 449
, 448
, 449

, 446
, 445
,
, 445
, ,
444

ProtoFuzz, , 270
(BVA), 45
, 341
, 112
, , 189
(WebFuzz), 172
, , 223
(), 154


/ , 456
, 456
, 459

cc_hits, 469
cc_tags, 469
, , 445
(SSH), 87

Microsoft, 509
, , 300
, 514

libdasm, 97
libdisasm, 97
Libnet, 98
LibPCAP, 98
Metro Packet Library, 98

535


PyDbg, 459
SIPPhoneAPI, 475
WinPcap, 275

, 97
, 275
, 120

, 109
, 108
, 108
, 104
, 105
, 107
, 101

, 43
, 40
, 444
, 403

Sulley, , 410
, 410
, 412
, 411
, 413

/ , 456
, 456
, 459
, 81

, 261
, 378
, 81
, 413
, 414
, 415
, 414
, 413

ActiveX, , 307
, 316
, 309
, 317
, ,
, 312
, 316
, 64
, 289
CSS, 293

Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 286
, 301
, 287
, 295
, 288
, 299

$, 299

(MLI), 327

, 51
$ , 64
ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316
, 289
CSS, 293
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292
, 48
, 286
, 288, 294, 299
, 295
, 299
, 286

536
, 301
, 287
, 295
, 288
, 299
$ , 139
$ (Sulley), 422
$, , 138
$ , 64
$ , 160
beSTORM, 161, 517
Codenomicon, 161
HTML, , 168
HTTP, , 167
SPI Fuzzer, 161
SPIKE Proxy, 160
WebScarab, 161
XSS$, , 184

cookies, 150
, 141
, 149
, 151
, 145
, 149
POST, 151

, 147
, 139
, ,
169
, 163
SQL, , 182
, 134

, 156

, 170

Ipswitch Imail Web Calendaring,
179
Trend Micro Control Manager, 178
, 138
, 165
, 164
, 154, 180
, 169

TcpClient, , 171
, 172
, 170


, 176
, 175
, ,
170
, 169
, 169
, 187
, 136
, 153, 168
$
CodeSpy, 33
Flawfinder, 33
ITS4, 33
Jlint, 33
Splint, 33
Wotsit, 438

RATS download, 33
AWStats Remote Command Execution
Vulnerability, 139
IpSwitch WhatsUp Professional 2005
(SP1) SQL Injection, 139
Microsoft Outlook Web Access Cross$
Site Scripting, 138
Multiple Vendor Cacti Remote File In$
clusion, 139
phpBB Group phpBB Arbitrary File
Disclosure, 138
SAP Web Application Server sap$exi$
turl Header HTTP Response Split$
ting, 139
Sulley, , 403
Tikiwiki tiki$user_preferences Com$
mand Injection, 138
Wireshark, 351
WordPress Cookie cache_lastpostdate
Variable Arbitrary PHP Code Execu$
tion, 139

OpenSSH, 246
RealServer ../ DESCRIBE, 246
RPC DCOM, 246

MIME WinZip, 189
, , 138
, 140
, 508
, 510
, 512
, 510
, 511

537


, 512
, 496
, 66
,
66
,
, 66
, 84
, 96
, 39

, ,
346
, 344
,
, 346

fuzz_server.exe, 352
OllyDbg, 355
(RCE), 40

$
cookies, 150
, 141
POST, 151
, 149
, 151
, 145
, 149

, 147

, 193

$
CSS, 294
Flash, 298
URL, 299
HTML, 289
, 294
HTML, 290
XML, 291
ActiveX,
292

, 275
, 348
$,
141
cookies, 150

POST, 151
, 149
, 145
, 149

(URI), 147
, 71
, 493
(), 450
, 95

( ), 448
CFG
, 450
, 450
, 449
Sidewinder, 452

, 449
, 448
, 449
, 381
, 370
SWF, , 401
, 518

CCR, , 100

, 109
, 108
, 108
, 104
, 105
, 107
, 101
, 524
(PHP),
136
, 86

Sulley,
, 424
SMTP$, 417
, 455
, , 61

Peach, , 382
, 410

538

ProtoFuzz, , 279
, 270

ProtoFuzz, , 276
, 270

, 381
, 370
SWF, , 401

CCR, , 100
, 109
, 108
, 104
, 105
, 107
, 101

PStalker, 468
, 468

PStalker, 467

Dfuz, 373
, , 247
, 108

apKeywords(), 371
Sulley, , 403
, 409
, 109
, 108
, 108
, 335
, 105
, 409
, 103
, 104, 408
, 107
, 413
, 101
, 407
, 415
, 469
POST,
$, 151
(FileFuzz), 220


, 73
, 40
adbg, 388
DBI
DynamoRIO, 502
Pin, 502
, 503
GDB, 42
OllyDbg, 42, 352
WS2_32.recv(),
, 352
, 354
, 355
, 355
WinDbg, 42
,
493
DBI, 502
PaiMei$ crash binning, 495
, 494
, , 494
, 488
, , 497
$ , 301
, 198
, 252
$, 157
$, 456
, 40
, 40

, 455
, 443
, 84

, 53
, 357

, 35
, 44
, 39

, 139
$, 157

(), 412

539


Accept, 143
Accept$Encoding, 143
Accept$Language, 143
Connection, 144
Cookie, 144
Host, 144
SWF$, , 391
User$Agent, 144
$,
149
HTTP, 144
,
, 503

, 492
, , 48

, 491
, , 336

GetTypeInfoCount(), 313
LoadTypeLib(), 313

(CCR), , 100
ap.getPayload(), 373
av_handler(), 495
bp_set(), 350
ContinueDebugEvent(), 340
DebugActiveProcess(), 338
DebugSetProcessKillOnExit(), 338
flatten(), 396
func_resolve(), 350
GetFuncDesc(), 314
GetNames(), 314
GetThreadContext(), 344
handler_bp(), 350
HTTP, 167
MMalloc(), 103
parse(), 325
process_restore(), 361
process_snapshot(), 359
randomize(), 396
record_crash(), 498
s_checksum(), 414
self.push(), 416
set_callback(), 350
setMaxSize(), 373
setMode(), 373
SetThreadContext(), 344
smart(), 396

s_repeat(), 414
sscanf(), 444
s_sizer(), 413
strcpy(), 32
syslog(), 490
Thread32First(), 345
to_binary(), 396
to_decimal(), 396
unmarshal(), 325
VirtualQueryEx(), 346
WebFuzz, 175, 177
write_process_memory(), 361
xmlComposeString, 425
, 169
$, 163, 165
(RFC), 77

, 57
, , 49, 65
(), 493
, , 48, 65
$, 208

, 442
Sulley, 404


Microsoft, 31
, . , 459

.
Autodafej, 387
beSTORM, 161, 517
BinAudit, 43
BoundsChecker, 504
BreakingPoint, 518
BugScam, 43
clfuzz, 61
Codenomicon, 519
, 47
HTTP, 64
COM Raider, 65
COMRaider, 49, 292
Convert, 385
crash binning, 498
crashbin_explorer.py, 423
CSSDIE, 293
DevInpect, 514

540

Dfuz, 373
fuzz_trend_server_protect_5168.
py, 429
GPF, 384
PDML2AD, 389
TXT2AD, 389
, 373
, , 374
, , 375
, 376
, 374
, 376
DOM$Hanoi, 65
FileFuzz, 62
ASCII, , 221
, , 223
, 219
, 240
, 220
, 221

, 222
, 236
, 229
, 217
, 240
Hamachi, 65
Holodeck, 523
iFUZZ
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
iFuzz, 61
Inspector, 43
LogiScan, 43
mangleme, 65
Mu$4000, 521
Netcat, 72
notSPIKEfile, 62


forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201
,
, 211
$, 208
, 201

, 202

RealPix, 212
, 214
PAIMEIfilefuzz, 62
Pattern Fuzz, 384
Peach, 63, 381
, 381
, 382
, 383
,
381
, 382
, 382
ProtoFuzz
NDIS, , 274
, 270, 279
,
, 275
, 272
, , 269
, 272, 281
, 278
, 284
, 281
, 270
, 277
, 274

/,
281
, 275
PROTOS, 472, 519
ProtoVer Professional, 521
ProxyFuzzer, 439
PStalker, 473
Gizmo Project, , 471
, 468
, 468


, 467
, 466
, 469
, 469
ptrace(), 98
PureFuzz, 384
SecurityReview, 43
Sharefuzz, 61
Sidewinder, 452
SPI Fuzzer, 64
SPIKE, 63, 378
Proxy, 160
,
, 261
, 380
, 263
TC, 259

, 378
FTP, 379
UNIX, 254

, 262
, 259
SPIKE Proxy, 160
SPIKEfile
forking off/
, 205
UNIX, 207
, 203
UNIX,
208
, 201

, 202
,
, 211

, 203
$, 208
, 201
, 214
Sulley, , 403
RPC, ,
, 427
, 409
$, 403
, 431
, 409
, 428
, 408

541
, 404
, 406
, 422
, , 431
, 413
, 407
, 415
SuperGPF, 384
WebFuzz
HTML, , 168
HTTP, , 167
TcpClient, , 171
XSS$, , 184
, 172
, 168
,
, 169
, 163
SQL
, 182

,
170
, 178
, 165
, 164
, ,
180
, 169
, 170
, 175
, 187
, 169
, 169
, 187
, ,
170
WebScarab, 64, 152, 161
, 33
Python, 99

Outlook Express NTTP,


, 463
PaiMei, , 464
PyDbg,

, 460
, 455
, 480
, 459
, 453

542
, 458
, 482

(IDE), 513

, 39

,
, 500
, ,
487
, 487

, 250
, 192

IObjectSafety, 311
PIDA, 465
ID (IID), 305
COM, 304
IAcroAXDocShim, 314
SQL
, 182
, 155

$, 156, 170
, 340
, 52
, 202, 222
, 203
,
500

, . , 454
, 52
, 514

COM, 304
SAMBA, 437
, 47
ActiveX, 49
Codenomicon, 47
PROTOS, 47
SPIKE, 48
, , 47
, 49
, 48

, 30
, 32

(CSS)
CSSDIE, 48

apKeywords(), 371
bit_field, 395
PyDbg, 348, 357
TcpClient, 171
, 242, 294, 299

Ethereal, 351
, 351


Peach, 381
, 371
(), 411
, 198
, 60

break, 119
commands, 119
CREA, 266
, , 300
, 109
, 516
beSTORM, 517
BreakingPoint, 518
Codenomicon, 64, 519
, 47
Holodeck, 523
Mu$4000, 521
ProtoVer Professional, 521
( ), 456
,
(SPIKE), 263
,
, 262
, 514
, , 487

, 414

, , 198
, 485
$, 139

, , 415


,
, 252
, , 196
, 60
getenv, , 118
iFUZZ
getenv,
, 126
getopt, , 126
, 125
,
132
, 127
Fork,
Execute Wait, 128
Fork,
Ptrace/Execute Wait/Ptrace,
129
, 131
, 124
, 130
, 60, 112
ptrace, 122
, 117
, 121
, 115
, 61, 112
GDB, 118
, 120
, 114
, 122
, 62

, 48
,
, 300
(XSS), 153, 184
, , 48
, , 424
, 198

ActiveX, 312
BeginRead(), 174
BeginWrite(), 174
btnRequest_Click(), 175
CONNECT, 146
CreateFile(), 318
CreateProcess(), 318
DELETE, 146

543
DownloadFile(), 318
Execute(), 318
forking off
, 205
GET, 145
GetURL(), 318
HEAD, 145
HTTP, 154
OnReadComplete(), 174
OPTIONS, 146
POST, 145
ptrace, 122
PUT, 145
TRACE, 146

, 59
, 30
, 30

, 43
, 40
, 35
, 32
$ , 288
, 289
, 288
($),
141
, 59
,
57

, 58

, 327
, 334
, 329

, 328

, 334
, 40
, 44
,
59

, 57
SWF, 402
, 249
, 249

544

, 251
, 249
, 250
, 250
, 190
, 193
, 191
, 192
, 35
, 39
(beSTORM), 161, 517
, 36
, 38
, 370
, , , 47

(iFUZZ), 125
, 55

, 251

ctypes, 335
iFUZZ, 125

(SRM), 328

,
493
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 52
, 139
ActiveX, 316
, . ., 49, 65
, 46, 249

( ), 456
$ , 105
HTTP,
154
(NX)
, 489
, 60
, , 445


, 202
, 273
DBI, 503
$, 301
, , 488
, 424
, 491
,
, 500
, ,
487
, ,
487
, 485
, 487
, 330
, 252
, 273
,
, 488
, 370
, 489
, 197
, , 249

fuzz_server.exe, 352

, ,
346

, 334
,
, 346
, 344
, 352

, 357
, 359
, 419

Ipswitch Imail Web Calendaring, 179
Trend Micro Control Manager, 178
, 179
, 108

setuid, , 60
Sulley, , 419


UNIX, 255
, 115
,
493
PaiMei$ crash binning, 498
, 494
, , 494
, , 497
, 326
, 513
, 459
, 245
$
, 138
, 138
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 189

PStalker, 469
, 91

, 53
, 53
,
55
, 54
, 54
, 66

(iFUZZ), 125
, 65
WS2_32.recv(), ,
352
OllyDbg, 352
, 352
PyDbg, 356
, , 351
, , 352
, 66
, 329
, 66

, 327
, 334

545

, 328

, 334
, 333
, 320
, ,
348
, 330
/ ,
344
, 326
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, 65

fuzz_client, , 362
fuzz_server, , 362
fuzz_server, , 359
, 360
, , 351
, 355
, 357
, 359
,
361
/
, ,
346

, , 346
, 65
, 329
, 66
, 352
, 352
, , 348
, , 335
, 65
,
, 252

, 89
$, 90
DBI, 91

546


(OASIS), 77
, 263
TCP, 259

, ,
169
, 169

, 194

(OSCAR), 73
, 77
(Win$
dows), 337

, 349

, 198
, , 339
, , 340

, 205
, 89
, 203

, 35
, 44
, 39

, 273
,
DBI, 488
, 424
,
, 500
, , 487
, , 424
, 330
, 252
, 273

$, 301
, , 488
, 491
, ,
487
, 485
, 487


, 489
,
, 488
, 370
, , 89
$, 90
, 89
DBI, 91


, 275
, 269

, 322
Windows, 321
,
, ,
336
, 334

, 334
,
, 348
, , 348
. /
, 336
/
, 344
, 341
, , 348
, , 335

, 327
, 329
,
325

, 328
, 320
, 330
, 326
, 319
, 329

, 491
, ,
487
, 489


, 54
, 361
, , 346

, , 370
, 80
, 335
, 72
, 70

, 374
, 272
, 61
, 118
getenv, , 118
GDB, 118
, 120
, 276
$, 164
, 112
GDB, 118
, 120
getenv, 119

GDB, 118
, 120
getenv, 119
(), 264

($), 180
,
, 196

Novell Net$
Mail IMAPD, 103
, 150
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
, 342
, 89
, , 89
, , 62
, 154
, 120


ActiveX, 309

547

GDB, 118
, 120
getenv, 119
, 105
, 70
, 77
, 46
, forking off
, 205
, 444

, 346
, , 376

, 424
, 424
, ,
249
, 382

'su', , 114
setuid, 60
(ASP), 135
$, 64
, 139
, 134

, 156
, 138
,
151
, 150
, 136
, 153
, 114

ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 368

, 341

, 487
, 491

548
, ,
487
, 489

Antiparser, 371
CreateProcess(), 338
Windows, 337
$, 439
, 485
,
, 196
, 63
AIM (AOL Instant Messenger)
, , 48

, 340

AIM, 73
, 74
,
75
FTP, 72
HTTP, 149
ICMP, 445
NMAP, 255
SPIKE NMAP,
, 263
, 255
NNTP, 462
SIP
, 475
, 472

, 444
, 448
, 439
$,
149
, 73
, 274
, 442
, 69
, 368
, 68
, 68
, 77
, 72
, 70
, 77
, 63


, 76

, 270
, 274
, 249

, 251
,
, 247
,
, 249
, 245
, 243
, 272
, , 251, 273
, 272
,
, 249
, 270
, 269
,
, 248
, ,
248

, 243
,
, 248

, 63
, 63
, 63
TLV, 368
, 438

, 58
, 59
, 436

, 81
, 81
, 80
, 81
Dfuz, 376

, 197
$, 157
, 459

, 86

549


, 208
, , 421
/
, ,
346
,
, 346
, 344

, 336
, 336
, 341
EIP, , 343
INT3, , 341
, 344
,
, 341
,
342
, , 348
, forking off
, 205
, 86

, 370

, 52

FileFuzz, 229
, 230
, 231
, , 230

, 233
, 229
, 230
, 229
, , 229
iFUZZ, 126
, 458
, 459
, 459
,
459
, 462
, , 462
DBI, 503
,
524

ActiveX, 307
, 316
,
309
, 317
, ,
, 312
, 316

forking off/
, 205
UNIX, 207
, 203

, 202
UNIX,
208

, 203
, 513
, 103
, 49
, , 65

(PaiMei), 464
, , 414
, 91

, , 62
, 36
(ActiveX), 312

Microsoft, , 243
, 351
, , 352
, , 246
,
, 246

Sulley,
, ,
419
, 429
Sulley, , 417
, 419
, 419
, 413
, ,
420

550
, 417
, , 248

, 277
, 242
, 139, 420
, 245
, 245
, 247
, 249
, 249
, 248
, 248
, 248
, 245
, 242
UNIX, 254
SPIKE NMAP,
, 263
, 255

, 243
, , 247
, 63
, 249
, 273
, 243
, , 251
, 63
, , 274
, 63
, 269

SIGSEGV, 55
UNIX, 207
, 122
, 55
, 108
, 455

SPIKE NMAP, , 263


XSS$, , 184

, 262
, 154
, 153

, 35
, 44
, 66
, 67


, 63
, , 386
, 406
,
, 445

, 157
, 243
$, 156
, 86
, , 197

,
341
, 346
,
198
, 346
, 438

, 32
, 406

NMAP, , 264
, 496
, , 488
, 438

Sulley, , 408
, 104
, 400
, 107
, 107
, 196
RealPix
RealPlayer, 212
, 488

, 54
,
HTML, 290
XML, 291

SLDC, 512
, 30
, 35
, 32
, 30
, 40

551


, 40
, 44
, 35
, 36
, 39
, 38

RCE, 40
, 36
, 58

, 57
, 348

WS2_32.dll recv(), 352
ws2_32.dll, recv(), 350
, 341
, 350, 359
, 341

Outlook Express NTTP,


, 463
PaiMei, , 464
PStalker
Gizmo Project, , 471
, 468
, 468
, 467
, 466
, 469
, 469
PyDbg,

, 460
, 455
CFG, 456
, 455
, 480
, 459
, 453
, 458
, 459
,
459
, 462
, 459
, , 462
, 482
, , 437

, 62
$, 64
$, 64
, 63

, 524
,
524
,
($),
147
, 247 249

FileFuzz
, 230
, 231
, , 230

, 233
, 230
ProtoFuzz, 276, 281
, 279
, 281
, 278
, 277

/,
281
WebFuzz
TcpClient, , 171
, 172
, 176
, 175
, 53

Apple Macbook, 247


CSS, 293
ERP, 139
Excel eBay, 219
Flash, 298
GDI+ , 218
HTML
, 289
, 290
Ipswitch I$Mail, 437
Outlook Express NTTP, 463
PNG, 218
RPC$, 246

552
SPI Dynamics Free Bank,
, 184
TCP/IP, 248
winnuke$, 248
WinZip FileView, 317
WMF, 218
, 155
$, 139
$, 138
$, 153
, 138
, 138
, 300
, 301
, 242, 299
, 294

, 109
, 300
, 246
, 247
, 249
, 108
,
300
, 299
, 487
, 491
, ,
487
, 489
, 154, 299
, 249
, 246
, 248

, 245
, 139
, 248
NMAP, , 264
,
NMAP, , 264
XML, 291
, 248
, 247 249
, 301
RealPix
RealPlayer, 212
, 107
Windows, 218


, 196
, 194
, 196

, 194
, 189
, 196
, 197
, 196
ActiveX, 292

(SLDC), 512
(GPF), 384
, 62
FileFuzz
ASCII, , 221
, , 223
, 219
, 220
, 231

, 222
, 217
notSPIKEfile
, 201
,
, 211
, 201

RealPix, 212
, 214
ODF, 77
Open XML, 78
SPIKEfile
, 201
,
, 211
, 201
, 214
Windows, 218
, 240
UNIX, 207
forking off/
, 205
, 190
, 193
, 191
, 192
UNIX, 208


, 197
, 224
Windows Explorer, 225
Windows, 228
, 236
$, 208
, 229
, 230
, 231
, , 230
, 203

, 202, 233
, 229
, 230
, 229
, , 229

, 196

, 194
, 194
, 196
, 189
, 196
, 197
, 196
, 240

Codenomicon, 47
SPIKE, 48
, , 47
PROTOS,
47
, 49
, 48
, 39

, 53
, 53
,
55
, 54
, 54
, 51
$
, 48

, 250
, 191

553
, 486
, , 493

,
52
, 52
, 51
, 52
, 51
,
51

.
SWF, 391
bit_field, , 395
dependent_bit_field, , 397
MATRIX, , 397
RECT/RGB, , 396
SWF$, , 391
, 401
, 391
, 403
,
400
, 402
, 400
, 391
, 392
, 398
, 117
, 376
, 49
, , 462
, 301
,
RealPix RealPlayer, 212
, ,
107, 127
, 107
, 488
, 196
, 66
Antiparser, 371
,
370
Autodafej, 387
CRC, , 369
Dfuz, 373
, 373
, , 374
, , 376

554
, , 375
, 376
, 374
GPF, 384
PaiMei
SWF$, 391
, , 494
,
, 497
crash binning, 495
Peach, 381
, 381
, 382
, 383
,
381
, 382
, 382
SPIKE, 378
, 380

, 378
FTP, 379
Sulley, 403
, 409
, 403
$, 403
, , 428
, 409
, 417, 429
, , 431
, 408
, 404
, 406
, 422
, , 431
, 407
, 415
,
368
,
66

, 66
, 67
,
370
, 370
, 368
, 368
, 370


, 66
, 370
, 368
, 67
, 370
, 368

.
BindAdapter(), 278
byref(), 336
CreateProcess(), 36, 221
create_string_buffer(), 336
Dfuz, 374
GetCurrentProcessId(), 335
getenv, 118
printf(), 266
ReadProcessMemory(), 336
ReceivePacket(), 278
s_block_end(), 261, 410
s_block_start(), 261, 410
taboo(), 488
WriteProcessMemory(), 336

,
, 295
, , 331
(), 469

, 101

Sulley, , 407
, , 194

, 51
, 339
(CRC),
, 369

(Microsoft), 243

, 489
, , 336

555

/
, 281

, 370
, 100
ActiveX, 316
, 109
, 108
, 108
, 104
, 105
, 439
, 441
, 443
, 442
$, 439
, 107
, 101

, , 49
, , 63
ActiveX
, 49

, 169

(VML), 291

ECMAScript, 294
FileFuzz, 229
iFUZZ, 130
ProtoFuzz, 275
, 99
SPIKEfile notSPIKE$
file, 214
, 335
, 368

 
Books.Ru
ISBN 9785932861479, Fuzzing:

Books.Ru .
 , 

. , 
 (piracy@symbol.ru),
.